In this article, I will show you to 10 tips for Active Directory Administrators to make it more secure. However, it is worth looking at the articles listed at the end of this article. There, we will examine each point in more detail.
Activate and check the Active Directory recycle bin
When no other options are available, you can use the Active Directory Recycle Bin to restore deleted objects. To enable this feature, you must activate the AD Recycle Bin.
You should also check from time to time if it is still available or if the object has been collected in the trash. You cannot disable the recycle bin, but you should check its function from time to time.
For example, the recycle bin can be activated from the forest context menu in the Active Directory Administration Center.
If the recycle bin is active, the option to disable it will be grayed out. The Active Directory Administration Center collects deleted objects in the “Deleted Objects” of the organizational unit.
Protect important organizational units from being removed.
By default, most organizational units have protection against accidental deletion. To do this, enable the “Previously deleted objects” option in the “Objects” tab of the OU properties. You can remove the organizational unit again by removing the check mark.
To view the tabs, the “Advanced Features” option must be turned on in the “View” of the Active Directory Users and Computers console.
Protect advertising positions, important groups and users are not eliminated
The option to avoid accidental deletion can also be activated for other objects. You can also do this in the Active Directory site and in the services administration. Of course, you can also use this method to protect other objects, such as groups and user accounts. Particularly sensitive objects deserve this adjustment.
Regularly diagnose domain controllers and replication
Even if Active Directory must be stable, it makes sense to occasionally use “dcdiag” and “repadmin / showreps” to test the status of domain controllers. You can use “dcdiag / v” for a thorough analysis.
Therefore, problems in the field can be quickly identified. It only takes a few seconds to run. You can enter the error in the search engine to solve the problem.
Delete or disable accounts that are no longer needed
For security reasons, user accounts that have not been used for a period of time should be disabled or removed. This avoids security holes and allows attackers to use accounts that are no longer needed to attack domains.
Set up and verify time synchronization
For Active Directory to function properly, the time on each server should not differ too much, especially on a domain controller. Therefore, it is worth checking the time on the domain controller regularly to ensure time synchronization.
The PDC master station in your environment must also be operating normally. The easiest way to check the time at the command prompt is to use the “net time” command. You can use “net time \\ <computer>” to check the time on the network. This makes it easy to determine if all domain controllers and servers are running synchronously.
Check the operations master
Operations managers have important tasks in Active Directory. The function of the operation panel should be checked regularly. Importantly, the domain controller configured as an operations master must also function and remain available on the network.
Check the members of the administrator group
Administrators should regularly verify which user accounts in the forest have administrator privileges. The best way is to view the groups in “Active Directory Users and Computers” (dsa.msc) in the “Users” organizational unit.
Check Active Directory sites and subnets
Multiple locations and subnets are located in the Active Directory site and the service management unit. You should regularly check if the subnet is still assigned to the correct location and if the domain controller is still available.
You can use “Nltest / dsgetsite” on the command line to test if the domain controller is assigned to the correct location. At a single site, you need to verify if the replication connection between domain controllers still exists and is working properly.
Verify and clean DNS database
Name resolution plays an important role in Active Directory. On critical servers, sometimes you should use “nslookup” to see if you still have access to domain controllers and other servers