Tag Archives: active directory

Active Directory Users and Computers (ADUC): Installation and Uses

active directory users and computers hero

Active Directory Users and Computers (ADUC) is a Microsoft Management Console snap-in that you use to administer Active Directory (AD). You can manage objects (users, computers), Organizational Units (OU), and attributes of each.

ADUC is one of the many tools that you can use to administer AD, but since it has been around since Windows 2000, it is one of the most popular. Read on to see how to run and use ADUC to manage AD.

How Do I Add Active Directory Users and Computers?

Some of you might have already looked for ADUC on your laptop to discover that it’s not there. It’s not part of the default installation, and how you get it installed depends on your version of Windows.

In current versions of Windows, ADUC is part of an administrative suite of tools called Remote Server Administration Tools (RSAT).

Remote Server Administration Tools (RSAT)

In an October 2018 update, Microsoft moved all of the Active Directory administration tools to a ‘feature on demand’ called RSAT. Attackers use whatever they can for privilege escalations and exfiltration. They don’t need RSAT to do major damage to your network, but it sure makes it easier! If an attacker got hold of a computer with ADUC installed, they could just change passwords and access rights at will. That would be very bad.

Anyway, if you want to access ADUC on your computer, you need to install RSAT. ADUC is not part of the default installation for any Windows version. Follow the instructions below to install:

Installing ADUC for Windows 10 Version 1809 and Above

    1. From the Start menu, select Settings > Apps.
    2. Click the hyperlink on the right side labeled Manage Optional Features and then click the button to Add feature.
    3. Select RSAT: Active Directory Domain Services and Lightweight Directory Tools.
    4. Click Install.
    5. When the installation completes, you will have a new menu item in the start menu called Windows Administrative Tools.

Installing ADUC for Windows 8 and Windows 10 Version 1803 and Below

    1. Download and install Remote Server Administrator Tools depending on your version of Windows. The link is for Windows 10, other versions are available in the Microsoft Download Center.
    2. Click the Start button and select Control Panel > Programs > Programs and Features > Turn Windows features on or off.
    3. Scroll down the list and expand Remote Server Administration Tools.
    4. Expand Role Administration Tools.
    5. Expand AD DS and AD LDS Tools.
    6. Check AD DS Tools, then select “OK.”
    7. When the install completes you will have a folder for Administrative Tools on the Start menu. ADUC should be in this list.

Troubleshooting RSAT Installation

There are two common installation issues to check if something goes sideways and you can’t get RSAT installed. First, check that you have enabled Windows Firewall. RSAT uses the Windows Update backend and thus needs Windows Firewall enabled.

Sometimes after the install, you might be missing tabs and such. Uninstall and reinstall. You might have had an older version and the update didn’t work 100%. You can also right click on ADUC in the Start menu and verify the shortcut is pointing to %SystemRoot%\system32\dsa.msc. If it doesn’t point there then you need to uninstall and reinstall for sure.

What is Active Directory Users and Computers Used For?

ADUC can cover most of your AD admin responsibilities. The most important missing task is probably managing GPOs, but you can do most everything else in ADUC.

With ADUC, you can manage the FSMO server roles, reset passwords, unlock users, change group memberships, and too many more to list. There are other tools in RSAT you can also use to manage AD.

other rsat tools to manage active directory users and computers aduc

  • Active Directory Administrative Center: Allows management for the AD Trash Can (accidental deletes), password policies, and displays the PowerShell history.
  • Active Directory Domains and Trusts: Lets you administer multiple domains to manage functional level, manage forest functional level, manage User Principle Names (UPN), and manage trusts between domains and forests.
  • Active Directory Module for Windows PowerShell: Enables the PowerShell cmdlets to administer AD.
  • Active Directory Sites and Services: Allows you to view and manage Sites and Services. You can define the topology of AD and schedule replication.
  • ADSI Edit: ADSI Edit is a low-end tool to manage AD objects. AD experts don’t recommend that you use ADSI Edit, use ADUC instead.

Now let’s look at a few different use cases for ADUC.

ADUC for Delegating Control

Scenario: You are looking to limit the sysadmin team’s responsibility to manage specific domains in your network. You would like to assign two sysadmins per domain, a primary and a backup. Here is how you would do this:

  1. Open ADUC as Admin.
  2. Right click the domain and select Delegate Control.

aduc for delegating control step 2

  1. Click through the Wizard until you get to this screen. Add the user(s) you want to delegate administrative responsibilities to here.

aduc for delegating control step 3

  1. Select the user and click Next.

aduc for delegating control step 4

  1. Select the tasks you are delegating to this user in the next screen.

aduc for delegating control step 5

  1. On the next screen you get a recap, click Finish if it looks correct.

aduc for delegating control step 6

ADUC for Adding New Users to Domain

Next we will look at how to add a new user to the domain.

  1. Expand the tree for the domain where you want the new user, right click the User container and select New -> User.

aduc for adding new users to domain step 1

  1. Fill in the blanks and click Next.

aduc for adding new users to domain step 2

  1. Set a password and check the correct boxes and click Next.

aduc new users to domain step 3

  1. Verify the user is set up correctly in the next screen and click Finish.

aduc for adding new users to domain step 4

ADUC for Adding a New Group

And to create a new group, follow these steps:

  1. Just as before, expand the domain and right click the container where you want the new Group to live, and select New -> Group.
  2. Fill in the blanks of the wizard, making sure to select the correct button for “Security” or “Distribution.”

aduc for adding a new group step 2

  1. Click OK, and then find your new group and open it up, select the Members tab, and add the correct users to this group.

aduc for adding a new group step 3

The more you know about the intricacies of AD the better prepared you are to defend it.

Varonis monitors and automates the tasks users perform with ADUC. Varonis provides a full audit log of any AD events (users added, logged in, group changes, GPO changes, etc.) and compares the current activity to a baseline of normalized behavior over time. Any new activity that looks like a cyberattack (brute force, ticket harvesting, privilege escalations, and more) triggers alerts that help protect your network from compromise and data breach.

Additionally, Varonis enables your data owners with the power to control who has access to their data. Varonis automates the process to request, approve, and audit data access. It’s a simple but elegant solution to a huge and increasingly important problem.

Want to see all the ways Varonis can help you manage and secure AD? Check out this on-demand webinar: 25 Key Risk Indicators to Help You Secure Active Directory.

5 FSMO Roles in Active Directory

fsmo roles hero

Active Directory (AD) has been the de facto standard for enterprise domain authentication services ever since it first appeared in late 1999 (in Windows Server 2000). There have been several enhancements and updates since then to make it the stable and secure authentication system in use today.

In its infancy, AD had some rather glaring flaws. If you had multiple Domain Controllers (DC) in your domain, they would fight over which DC gets to make changes – and sometimes your changes would stick, and sometimes they wouldn’t. To level up AD and keep the DCs from fighting all the time, Microsoft implemented “last writer wins” – which can be a good thing, or it’s the last mistake that breaks all the permissions.

Then Microsoft took a left turn at Albuquerque and introduced a “Single Master Model” for AD. One DC that could make changes to the domain, while the rest simply fulfilled authentication requests. However, when the single master DC goes down, no changes can be made to the domain until it’s back up.

To resolve that fundamental flaw, Microsoft separated the responsibilities of a DC into multiple roles. Admins distribute these roles across several DCs, and if one of those DCs goes out to lunch, another will take over any missing roles! This means domain services have intelligent clustering with built-in redundancy and resilience.

Microsoft calls this paradigm Flexible Single Master Operation (FSMO).

FSMO Roles: What are They?

Microsoft split the responsibilities of a DC into 5 separate roles that together make a full AD system.

fsmo roles

The 5 FSMO roles are:

  • Schema Master – one per forest
  • Domain Naming Master – one per forest
  • Relative ID (RID) Master – one per domain
  • Primary Domain Controller (PDC) Emulator – one per domain
  • Infrastructure Master – one per domain

FSMO Roles: What do They do?

Schema Master: The Schema Master role manages the read-write copy of your Active Directory schema. The AD Schema defines all the attributes – things like employee ID, phone number, email address, and login name – that you can apply to an object in your AD database.

Domain Naming Master: The Domain Naming Master makes sure that you don’t create a second domain in the same forest with the same name as another. It is the master of your domain names. Creating new domains isn’t something that happens often, so of all the roles, this one is most likely to live on the same DC with another role.

RID Master: The Relative ID Master assigns blocks of Security Identifiers (SID) to different DCs they can use for newly created objects. Each object in AD has an SID, and the last few digits of the SID are the Relative portion. In order to keep multiple objects from having the same SID, the RID Master grants each DC the privilege of assigning certain SIDs.

PDC Emulator: The DC with the Primary Domain Controller Emulator role is the authoritative DC in the domain. The PDC Emulator responds to authentication requests, changes passwords, and manages Group Policy Objects. And the PDC Emulator tells everyone else what time it is! It’s good to be the PDC.

Infrastructure Master: The Infrastructure Master role translates Globally Unique Identifiers (GUID), SIDs, and Distinguished Names (DN) between domains. If you have multiple domains in your forest, the Infrastructure Master is the Babelfish that lives between them. If the Infrastructure Master doesn’t do its job correctly you will see SIDs in place of resolved names in your Access Control Lists (ACL).

FSMO gives you confidence that your domain will be able to perform the primary function of authenticating users and permissions without interruption (with standard caveats, like the network staying up).

It’s important to monitor AD in order to prevent brute force attacks or privilege elevation attempts – two common attack vectors for data theft. Want to see how to do it? We can show you. Get a demo to see how Varonis protects AD from both insider and external threats.

 

Active Directory in Plain English

Active Directory in Plain English

It is tough getting started with Active Directory. There are lots of reasons for this: the years of cruft, the inherent complexity, the intimidating raw power… and the fact that everything has about six different names.

To help make sense of this, we’ve translated AD terms back into something a human might use when conversing with another Active-Directory-using-human. We hope you find it useful.

We hope you find it useful.

Term What it’s Like How you’d describe it over a beer
Attribute (Property) A field on a form The details that make up an Active Directory Object.
Attribute Instance What you write into a field on a form The actual value of an attribute. It’s not “Name” it’s “Jim Smith”
Class A form (User, Group) that has all the fields Top category of everything in Active Directory.
Class Instance A filled out form One particular user “jsmith”.
Content Rules Required fields on a form The rules about what a class must have. Can’t create a user without a username and password.
Derivation (Inheritance) Photocopying a form and changing some stuff As if you wanted to create one “standard” user and make all the new ones match that.
Directory Information Tree (DIT) A file cabinet with all your forms in it Like a family tree, but without all the circular references.
Control Access Rights Stopping someone from reading, modifying or shredding your form. It’s the actions, not the objects.
Lightweight Directory Access Protocol (LDAP) A standard for how information is listed in a tree. It’s like SMTP or HTTP – a generic protocol implemented by a bunch of different systems.
Class-Schema Category of form. That it’s a User not a Printer or Group form.
Attribute-Schema List of data in the form. That Description is of the User, not a group or some other object.
Object Identifier Internet Domain Names There’s TLDs like .com, .net, etc. – and there are domains like microrosoft.com, and subs like support.microsoft.com – except it’s all numbers so nobody who isn’t an android can read them quickly.
Poss-Superiors Rules about military ranks. You can’t have a Father after a Son in a family tree. You can’t have a General under a Sergeant in the Army.
Must-Contain Required Form Fields. Rules for the bare minimum set of information you need to create an object.
May-Contain Optional Form Fields. Stuff you only enter if you are feeling fancy.
Back Link A form field (attribute) that gets updated when a “forward” link is updated. Kind of like a database trigger
Canonical Name A path name that uniquely identifies the object The version of the name that looks like a URL you’d put into a web browser.
Distinguished Name The label and the value for all parts of a name. The version of the name that looks like an algebra problem.
Domain Functional Level Minimum requirements to be in charge. Check what versions of Windows Server are allowed to be a domain controller on the network.
Domain Controller Master set of records for a domain. Database of active directory objects for a domain.
Filtered Attribute Set Do not fly list for certain fields. It’s inefficient to move all the data around, so to Read Only Domain Controllers it makes sense to not send everything.
Forward Link A form field that when it’s changed updates other linked fields It’s like the authoritative domain entry in DNS.
Group A folder with a bunch of forms in it A basket you put other objects into: users, contacts or computers.
Link Table A linked list
Member Server A windows server that handles tasks on the network. Any server that is not a Domain Controller.
Mixed Mode That one old adapter you keep for the odd bit of kit. Don’t worry about this unless you’re still doing something with Windows NT.
Native Mode A new clean server room. Woohooo – no Windows NT domain controllers.
Naming Context The drawers you keep your different folders in. Top level sanity organization elements for all the objects in a network.
Relative Distinguished Name A nickname to where something is at It’s like saying “your Desktop folder” – it’s relative to the user who is logged in.

Top 10 Active Directory Tutorials on the Web

Active Directory Tutorials

We’ve all heard of the many benefits of Active Directory (AD) for IT admins– it makes your job simpler because there’s a central vault of user information, and it’s scalable, supporting millions of objects in a single domain. However, it can be a pain in the ACLs to implement and maintain—a cluttered, misconfigured AD can cause even the most veteran sysadmins anxiety.

Don’t go into panic mode, instead review our list of Active Directory tutorials, which explains this essential Windows service in 10 different ways:

  1. Active Directory is what makes businesses work if you’re a corporation with tens (or even hundreds) of thousands of users. Here are some great videos to help you understand:
  2. Explained by System and Network Admins, this Q&A from Server Fault does a thorough job explaining AD.
  3. If you’re a visual learner, I think you’d like to see these slides  covering all the components of AD and how they work together.
  4. Even if you’re not studying for your certification, it’s fun to test yourself with these flashcards.
  5. Straight from the source, what is Azure Active Directory?
  6. Now that you know what Azure AD is, you’ll really like Sean Deuby’s compare/contrast of Windows Azure Active Directory and Windows Server Active Directory.
  7. At Varonis, checklists have been a beneficial tool, streamlining our process and benefiting many departments as well as cross functional teams. While every organization operates differently, here’s a possible checklist for you to consider when planning, installing and configuring AD. And info on documenting Active Directory environments 
  8. A checklist, along with a gentle push in the right direction, such as this detailed AD planning and design guide just might be the right level of guidance you’ll need. And straight from the source: Best Practices for Active Directory Design to Manage Windows Networks
  9. Top Active Directory Complaint: Lockouts!
    • Once you’re all set up, a common AD complaint is troubleshooting an account lockout issue. The Directory Services team does a great job explaining AD’s UI behavior for account lockouts. It also discusses the differences between Server 2003, Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012
    • Also, don’t miss Andy’s excellent Secrets of Active Directory Lockouts: How to Find Apps with Stale Credentials
    • Download Account Lockout Tool from Microsoft (Supported Operating Systems: Windows 2000, Windows NT, Windows Server 2003)
  10. While a mailing list isn’t a tutorial, sometimes you just need human help. Created in January 2001 with the aim of discussing Active Directory, it has over 1,000 subscribers and 5,000 site members.

Active Directory Security Best Practices

active directory security hero image

Active Directory security is important because Active Directory(AD) represents the keys to the kingdom. Imagine that box where your store all of the physical keys to every door in the office building. AD is just like that box, but for every computer, software application, and service you run on your entire network. You keep that physical box of keys protected and secured – or you should – and you need more security to protect AD from cyber attacks.

Verizon’s security team researched over 53,000 cyber attacks for their 2018 Verizon Data Breach Investigation Report. During that research, Verizon confirmed 2,616 data breaches. For comparison, in 2017, the FBI tracked 19,502 burglaries of offices in the United States. It stands to reason that your digital presence is a much bigger target than your physical office space, so let’s dig into AD security and establish best practices to prevent data breaches with a well defended Active Directory.

Why is Active Directory Security Critical?

Why is Active Directory security so important? Because Active Directory is central to all of the steps of the cyber kill chain. To perpetuate an attack, attackers need to steal credentials or compromise an account with malware, then escalate privileges so they have access to all of the resources they need. If you don’t have proper security and audit controls for AD in place attackers could hide and steal any data they wanted, and you might never know.

cyber kill chain phases

Common Active Directory Security Risks

Active Directory has been around since Windows 2000, and that is quite enough time for attackers to figure out many different ways to exploit vulnerabilities in and around the system, including the humans who use the system.

Common Active Directory Security Vulnerabilities

  • Active Directory currently uses Kerberos authentication, which itself has several vulnerabilities
  • AD used to use and still supports NTLM encryption, which is very weak in today’s standards
  • Attackers can use a brute force approach to break into Active Directory
  • Phishing and malware are very common methods of stealing user credentials

User-Related Active Directory Security Threats

  • Phishing also falls under this category, because phishing doesn’t always attack AD directly, but it takes advantage of the human’s desire to click a link
  • Social engineering is phishing but more in person, like someone calling you and saying they are from the IT department and you need to log in with your user and password, but they aren’t from IT, and they just stole your credentials
  • One element of social engineering is spear phishing – impersonating a high ranking officer of a company to deceive others to steal money or data

active directory security risks

Active Directory Security Best Practices

To counter the many vulnerabilities and attacks used to break into AD, security experts have developed a set of best practices for securing active directory.

Document Your Active Directory

To keep a clean and secure AD, you must know everything about that AD – and I do mean everything. Document naming conventions and key security policies in addition to every user, service account, computer, and access group.

Here’s a good first checklist:

  • Identify all of your computers, users, domain, and OU naming conventions.
  • Describe your OU hierarchy, DNS configuration, network numbering conventions, and DHCP configuration.
  • List the main functions of your GPOs and the process of organization.
  • Take note of the locations of AD’s Flexible Single Master Operation Roles (FSMO) roles.
  • Identify the organization’s policy when adding new user accounts or when revoking user accounts.
  • Describe the organizations’ policy for user restrictions.

Enforce Safe Practices Among Users

Once you have the rest of your security stack tightened up, the weak link in your data security will be the humans themselves. Research shows that humans will click a phishing link or get fooled by a whale phishing or social engineering scam – it’s going to happen. It is vital that you prepare and train your users to recognize these threats and have the ability to notify the Incident Response team if they suspect an attacker compromised their account.

Here are some other basics to enforce with your users:

  • Enforce a good password policy. What is a good password policy? That is still up for debate. NIST recently updated their policy, and other security experts recommend an encrypted password manager to keep randomized long passwords safe. In any case, the longer the password with more character options the better.
  • Train users to recognize phishing attacks.
  • Prevent users from making administrative changes on their laptop that could compromise their security.
  • Give System Administrators two accounts: one for normal usage and an Administrator account to perform changes.
  • Limit administrative accounts to the assigned systems, with redundancies in place of course. You don’t want a single Admin account that can open all the “doors.”

Secure Domain Controller

Make it close to impossible to reach your Domain Controllers. You can configure your network to allow access to DCs only from a hardened and secured computer without access to the internet. Adding this layer of security will keep your DC safer from outside intrusion and lateral movement or privilege escalation attacks from inside your network.

Employ the Least Privilege Model

The least privilege model is one of the best investments you can make to keep your networks secure from cyberattacks. Least privilege says that each user only has access to the resources they need to do their job, including admins and service accounts. If any account gets compromised, using the least privilege model will minimize your overall risk of exposure to data theft.

Monitor Active Directory for Compromise

Lastly and most importantly, monitor Active Directory. You should know every change, every login request, and every GPO change that happens on your DCs. That’s a huge amount of data and will require automation to analyze. Varonis monitors Active Directory and correlates perimeter telemetry, file activity, and user behavior to detect unusual activity or abnormal behaviors. You can uncover critical misconfigurations, monitor & alert on changes to security groups, GPOs, OUs, and other AD objects. Varonis then leverages advanced data security threat models to determine if there are current behaviors or events that indicate a possible cyberattack.

For example, a user logging in after-hours isn’t necessarily all that interesting, but a user logging in after-hours from a different country and then accessing sensitive credit card data is! Varonis makes sense of the chaos in your data so you can protect AD and prevent data breaches.

Monitoring Active Directory is so important, in fact, that we’ve created a dashboard just for that. You can track disabled accounts, accounts without passwords or non-expiring passwords, and even any accounts with weak encryption settings. These metrics represent areas of risk in AD, and provide a way for you to prioritize resolving those issues.

active directory security best practices

Want to learn more about Active Directory cyberattacks – and how to stop them? Check out our on-demand webinar 25 Key Risk Indicators to Help Secure Active Directory – and see our dashboards in action.

Tracking this data daily will show you if someone creates a new account incorrectly, if an attacker has changed the encryption type, or any number of other indicators of a cyberattack.

The Difference Between Organizational Units and Active Directory Groups

Active Directory loves hierarchy. Domains, Organizational Units (OUs), groups, users, and so forth. Sometimes it can be confusing—how do I best structure my AD? We’ve written a bit about domains (How do I name my domain? What happens if I rename my domain?), but today our focus will be on the difference between OUs and groups.

Groups

Active Directory groups are used to assign permissions to company resources. As a best practice, you place users into groups and then apply the groups to an access control list (ACL).

It’s quite typical to have your AD groups mirror your company hierarchy (e.g., a group for Finance, Marketing, Legal, etc.).

Organizational Units

Organizational Units are useful when you want to deploy group policy settings to a subset of users, groups, and computers within your domain.

For example, a domain may have 2 sub-organizations (e.g., consumer and enterprise) with 2 separate IT teams managing them. Creating 2 OUs lets each IT team administer their own policies that affect only the users, computers, etc. that fall within their unit.

Organizational Units also allow you to delegate admin tasks to users/groups without having to make him/her an administrator of the directory.

Here’s an example: let’s assume that you have an organizational unit structure such that the top level OU is named Employees and the child OUs are Departments and HRUsers. Departments also includes child OUs such as SalesUsers, EngineeringUsers, FinanceUsers, and ExecutiveUsers. If you wanted someone from the IT department to have the ability to reset the password for all employees in all departments, you would establish that delegation of administration at the Departments OU level. If, however, you wanted a manager from the HR department to be able to reset the passwords for only the HR users, you would configure the delegation of administration on the HRUsers OU, giving them the ability to reset passwords exclusively for these users.

What kind of common administrative tasks can you delegate via OUs?

  • Managing users (create, delete, etc.)
  • Managing groups
  • Modifying group membership
  • Managing group policy links
  • Resetting passwords on user accounts

The Difference Between…

This isn’t the only “what’s the difference between” question that comes up over and over. Check out some of the other ones:

How Can I Find Out Which Active Directory Groups I’m a Member Of?

Active Directory groups

The ability to administer and maintain up-to-date user lists and groups is critical to the security of an organization.

Using the GUI

There are a number of different ways to determine which groups a user belongs to. First, you can take the GUI approach:

  1. Go to “Active Directory Users and Computers”.
  2. Click on “Users” or the folder that contains the user account.
  3. Right click on the user account and click “Properties.”
  4. Click “Member of” tab.

Using the Command Line

Not so fun clicking around, is it? How about some command line options?

  1. Open up a command promt (cmd.exe or PowerShell)
  2. Run: gpresult /V

You’ll get output that looks like this (I’ve truncated it to only include the group info):

output

You could also run whoami /groups to get similar info. This command will also list distribution groups and nesting (i.e., if you’re in Group A which is itself a member of Group B, it’ll display Group B).

Not satisfied yet?  Try net user [username] domain as yet another option.

The Bigger Question

As you can see, there are plenty of ways to ascertain Active Directory group membership, manually and programmatically. But the question that almost always goes unanswered is: “What exactly does this group give access to?”

This is an especially tricky question to answer when you have poorly named groups, but even with pristine group names, mistakes are made and you’ll almost always find that groups give unwarranted access to data.

Practical Next Steps

So how do you connect the dots between Active Directory group memberships and the files, folders, SharePoint sites, and mailboxes they’re connected to? Using only the native tools and Windows management options, it’s a hugely daunting and time-consuming task.

Get a 1-on-1 demo of Varonis DatAdvantage to see a saner, easier and above all more secure way to manage your Active Directory users.

Risks of Renaming Your Domain in Active Directory

renaming

As a sysadmin, there might be moments where you’ll find the need to change, merge, or rename your domain. Hopefully you name your domain well the first time, but there are still many reasons why you might need to rename a domain, for instance: an organizational restructuring, merger, buyout or expansion. Keep in mind that a rename is not designed to accommodate forest mergers or the movement of domains between forests.

With long checklists, constraints and precautions, renaming a domain is not a simple undertaking, and the time required to complete a domain rename is proportional to the deployed AD forest – in terms of domain count, domain controllers and computers. There are also no step-by-step instructions for domain renames (that I could find), therefore the key to renaming a domain successfully is to do all the necessary prep work and to understand what areas might be affected.

When renaming your domain, here are, in my opinion, two major considerations:

  1. The risk of locking out users if steps in the process are missed
  2. Applications that are incompatible with the domain rename

Users Will Not Be Able to Log In

There are a couple of steps at the end of the domain rename process, if not planned and executed properly, that will impact your users greatly – i.e., they will not be able to log in. Here’s what you’ll need to review (probably multiple times):

During the Domain Rename: Local vs Remote

When you are performing the domain rename operation, connect as many workstations via wired LAN. Any remote computers that connect to the new domain through a remote connection such as a VPN will need to unjoin the old domain and rejoin the new domain.

Reboot Workstations Twice

Once the domain rename is complete, each user’s computer that is joined to the renamed domain must be rebooted twice AFTER all domain controllers are back up. Rebooting twice ensures that each user’s computer learns the new domain name and also propagates to all applications running on the user’s computer. Each computer must be restarted by logging into the computer and using the Shutdown/Restart option. Do not restart the computer by turning the computer power off and then turning it back on.

Remove the Old Domain

Once the domain members are updated, perform the rendom /clean command which removes the old domain names from Active Directory. If you run rendom /clean command and there are members that have not been rebooted twice you will have to rejoin them to the domain.

Also, if you execute rendom /clean before all the machines in the domain get rebooted twice, they won’t be able to access the domain because random / clean removes the old domain name from Active Directory, including “removing all values of ms-DS-DnsRootAlias from the domain name operations master.1

Applications Incompatible with Domain Renaming

With Exchange 2003 and 2008, the Active Directory DNS name can change, however, there are a number of Exchange applications that are incompatible with domain renaming, including:

  • Microsoft Exchange 2000 Server
  • Microsoft Exchange Server 2007
  • Microsoft Exchange Server 2010
  • Microsoft Exchange Server 2013

There are also non-Exchange applications that may be impacted, but Exchange is emphasized because email is often the most utilized form of communication and would be impacted most if you were to perform a domain rename.  Also, renaming the NetBIOS domain name is not supported in any version of the Exchange Server. Lastly, keep in mind that non-Microsoft applications may also not support a domain rename.

If you perform an AD rename with an unsupported version of Exchange, you will need to create a new AD forest, install Exchange into the new forest, and migrate all the objects. However, this process is very time intensive and many not be realistic to undertake.

Workaround: When Exchange is Incompatible with a Domain Rename

You might find yourself in a situation where your Exchange application is incompatible with a domain rename but you’re tasked with creating a new external domain name for emailing purposes. Here’s what you’ll need to do:

  1. Register your new domain name
  2. Create a redirect so that emails sent to the old email addresses will be automatically forwarded to the new email address

When you follow this procedure, everyone will know you by your new name because of your awesome new email address, your AD domain won’t need to be renamed, and users won’t be impacted.


1http://technet.microsoft.com/en-us/library/cc738208(v=ws.10).aspx

Best Practices for Naming an Active Directory Domain

naming

When you’re naming domains, it should be planned as carefully as you would in naming your first child – of course I’m exaggerating – but it’s worth planning carefully.  For those of you who fail to heed this advice, we’ve written a tutorial on how to rename a domain. 🙂

Popular Domain Naming Mistakes

Before we discuss current best practices, there are a couple of popular practices that are no longer recommended.

The first is using a generic top-level domain. Generic TLDs like .local, .lan, .corp, etc, are now being sold by ICANN, so the domain you’re using internally today – company.local could potentially become another company’s property tomorrow. If you’re still not convinced, here are some more reasons why you shouldn’t use .local in your Active Directory domain name

Secondly, if you use an external public domain name like company.com, you should avoid using the same domain as your internal Active Directory name because you’ll end up with a split DNS. Split DNS is when you have two separate DNS servers managing the exact same DNS Forward Lookup Zone, increasing the administrative burden.

Better Naming Options

For the time being, until things change, as they inevitably do, here are two domain naming options for you.

The first one is to use an inactive sub-domain of a domain that you use publicly. For instance: ad.company.com or internal.company.com. Advantages to this most-preferred approach includes:

  • Only one domain name needs to be registered – even if you later decide to make part of your internal name publicly accessible
  • Enables you to simply and separately manage internal and external domains
  • All internal domain names will be globally unique

The only microscopic drawback is that you’ll have more to type when entering FQDNs on your internal network, so make your subdomain name as short as possible!

However, if it is not feasible for you to configure your internal domain as a subdomain, you can use another domain that you own, which isn’t used elsewhere. For instance, if your public web presence is company.com, your internal domain can be named company.net, only if it’s registered and if it’s not used anywhere else. The main advantage is that you’ve secured a unique internal domain name. However, the disadvantage is that this approach requires you to manage two separate names.

And, once you’ve mulled over names, you’ll want to visit this site to ensure you don’t let a tiny colon : or tilde ~ ruin your day.