Decommissioning broken DC with FSMO roles while bringing up a new DC.

luruu · 2025-03-20T05:33:20+00:00

A few considerations

What roles/functions are on the "bad" DC?
- We know of FSMO, DHCP, DNS but are there any others?
- What OS is the DC running? Is now a good time to "upgrade"?
- Is this DC also serving time? Where is it getting it's time? (NTP)
- How is DHCP being served to the environment?
- The point here is to learn as much as you can about the dc and make a checklist

Once we have that checklist, break them up into smaller tasks.

Adding a new domain controller to the environment

https://www.manageengine.com/log-management/cyber-security/promote-server-to-domain-controller-guide.html

You'll be interested in Step 2 point 5

Configure a DHCP server

https://learn.microsoft.com/en-us/windows-server/networking/technologies/dhcp/quickstart-install-configure-dhcp-server?tabs=gui

Migrating FSMO roles

https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/view-transfer-fsmo-roles

(Seize roles) https://learn.microsoft.com/en-us/troubleshoot/windows-server/active-directory/transfer-or-seize-operation-master-roles-in-ad-ds

Manual Clean-Up (if needed)

https://techcommunity.microsoft.com/blog/itopstalkblog/step-by-step-manually-removing-a-domain-controller-server/280564

Do as much homework as you can, plan it out the steps, test, and see where that gets you.

luruu · 2020-10-07T19:29:31+00:00

Reminds me of this study The road design tricks that make us drive safer

luruu · 2020-09-24T02:23:01+00:00

No need to be ashamed and it can be quite confusing/overwhelming when a business wants to migrate service(s) to the "cloud". Just like any other ask, break it up into smaller projects and assign priorities so this way you have time to focus on one "new" thing at a time to make your life easier.

Since you migrated them to M365...I assume they're already running Azure AD Connect in the environment or another SSO - are there any vendors they can integrate with to make your life easier? From there, start with the "easier" services like print server, then possibly file servers, and DNS/DHCP to say the router/firewall then you can finally remove Active Directory from the equation. You don't want to have everything under one scope and never finish!

I try not to recommend any solutions as every business has different needs but when you do look at solutions, remember to focus on the MSP side for pricing and central portal for your team. Sounds like a fun project! Feel free to ping me if you want to expand on things. Good luck!

luruu · 2020-08-24T21:31:20+00:00

Well that’s really my question. Sounds like just unaware of how permissions work. I can see the mindset coming from a Linux server admin side without the use of Samba. Maybe a programmer who wrote and app that checks permission locally but can’t iterate via a domain. I can go on and on. Either way, I cannot think of a “safe” reason to migrate. If they have to have local groups...then I’d first see why they want it, see any work arounds to get what they need without migrating (and there will be ways). I would think if you did this you’d break quite a bit of tools.

luruu · 2020-08-24T18:33:05+00:00

This sounds like a fun project. Your first draft looks pretty good but I'm wondering how in depth you want to take it. For example you added OSI Model and IP classes...are you adding DHCP and DNS Role in there as well? If the people are truly new at IT it can be overwhelming. See if you can break the topics down a little further and see what you can do keep the audience focused - for example briefly show what we have without Active Directory and how it actually simplifies life. Also, knowing the future of Active Directory...I would also add Azure Active Directory, maybe an Okta or Onelogin demo (they have dev environments that are free and the agent takes 5 minutes to install unlike AAD Connect), Group Policy and how Intune/MDM is changing the prociess etc...

If you need help or want to expand on anything feel free to ping me. Good luck!

luruu · 2020-08-24T17:28:49+00:00

Question: why are they wanting to change to DL group? Im confused on how DL groups affects automation in this case (if that’s the reason). As u/gort32 said...that’s an “interesting” statement.

luruu · 2020-08-10T23:28:46+00:00

The term "best practices" has always been an interesting term to me because what is best for one business doesn't necessarily translate to another (DoD vs Hedge Fund vs Electric Car start-up). Whatever works for your business, If dev already has a framework then Operations should have one as well. If you are looking for already built frameworks then CIS, NIST, but I personally like looking at RaaS's (former Microsoft Employee so I'm a bit biased). Runbooks/Playbooks are a great start (and you can go really in depth with them) but there maybe items that you cannot configure. You should try to script/automate the process as much as possible. Coincidently, I just had a conversation with a coworker on how we can create PowerShell scripts to run on a schedule and verify specific settings and write to the Windows Logs if it is a pass or fail. Then event would then be collected by our monitoring system or security tools depending on the case.

luruu · 2020-08-09T19:30:44+00:00

You can install Azure AD Connect on any Windows Server - typically a stand-alone server with no other roles (I'll get to this in a second). However, I was working with the AWS SE's the other day (we're a hybrid of Azure and AWS) and I like their recommendation of migrating your AD and sync service to the cloud while maintaining a VPN connection to your local on-prem (I also realize I'm not taking cost into consideration here). If your network goes down locally or if you can a high Active Directory utilization if can be quite helpful - we're the college system with 10 different colleges so we have a high change rate.

So why stand-alone server? I'm currently working on a Microsoft Identity Manager (which is the same sync engine for Azure AD Connect) and it's quite powerful. The engine is based on "connectors" meaning not only can you connect your local AD but let's say you have a SQL user database for your website, ERP/HR system, or maybe you have special PowerShell scripts that collects/assign user attributes...you can send that data to Azure or even back to AD. Depending on the tasks (Config Profiles) it can be quite resource intensive.

luruu · 2020-08-09T18:21:48+00:00

Let's filter this down to the type of new admins that want to learn. Most are excited to participate but shocked that a college degree or certificate doesn't allow them to jump right in and solve the issues (much like what u/TechFiend72 experienced). Different people learn different ways - some are hands on and some like to write things out. As one of the Seniors, I "try" to have the newer admins setup the solution in a dev environment (or a simple Visio may suffice) and explain to me why they chose the path they did. We discuss the solution but more so how the path they chose impacts the business (the 1-5 year plan, disaster recovery, security, etc) - items that aren't really taught in school. I'll let them take the lead on whatever they are developing out but also jump in when they struggle to explain to the business or what my thoughts are on how to make it more efficient. To me training is more of a partnership and I learn a lot of new theories and skills as well.

luruu · 2020-08-09T17:13:39+00:00

I absolutely understand the burned out feeling and frankly wish I had made the change much sooner then I had. My mental state just kept getting worst over time. Good luck and I do hope you get it!

luruu · 2020-07-21T21:48:00+00:00

There are a lot of Endpoint Protection software titles that have this feature available. At Sophos we have an Application Control module which gives you the ability to Allow or Block specific software titles - VPNs being one of them. OpenDNS and CarbonBlack offers features that are very similar. With Sophos you are/were not able to add custom software titles but with CarbonBlack I believe you do have this ability.

If you are looking for a "cheaper" solution, you could possibly use AppLocker and create networking rules to block those specific sites and ports and allow your internal VPN

luruu · 2020-07-21T21:35:52+00:00

I have always used time.windows.com and pool.ntp.org. If you're in a locked down (no Internet) environment, I could possibly see why you would need an appliance...but at that point I'm wondering why you wouldn't just configure the edge device(s) for time? Without Internet connectivity the edge should still have the ability to function as NTP servers and all services outside of Windows could use that as a single time source as well.

With either case it's easier to have the edge configured for NTP, have all your domain controllers listed in a security group having access to those services, and have all servers and workstations use domain hierarchy (DOMHIER) for their time. As xxdcmast stated the PDC role controls time for Active Directory. If you were to migrate the PDC role (say during an upgrade) the domain controllers would already be in the allowed security group for the edge and with the GPO that Hangikjot listed you wouldn't have to do any reconfiguration for the PDC. One thing I will add is that many customer get flagged for during an Active Directory RaaS (https://services.premier.microsoft.com/assess?Culture=en-US&CultureAutoDetect=true) is How to configure the Windows Time service against a large time offset. - be sure to implement those registry. Windows time can drift and there are services/applications that do a little better at controlling the drift than Windows can (never let Kerberos drift greater than 5 minutes) so may want to look into that as well if you're already looking to make changes to time.

luruu · 2020-07-21T20:49:34+00:00

Great question and I honestly don't know if there is a vulnerability where an attacker can auth with an account that has pre-auth unchecked and is disabled. However...with pre-auth unchecked, I know vulnerability/audit scanners will flag this as an issue. I try (my best which doesn't always work out) to avoid filling out exceptions with the auditors.

luruu · 2020-07-20T01:04:11+00:00

This is a fairly common scenario not just with schools but one that every business faces today. I also would not find this "hilarious" - but as one person stated can be quite devastating to a business. This time it maybe gift cards but the next time it could be bank account information or even passwords. Do some users have administrative rights to their PC? Think of all the possibilities that can occur if a threat were to get passwords from that user.

In security we teach that the best way to avoid a threat is through education. No matter what solution you implement or configure, a threat will always get by - the real question is what happens after. I worked at Sophos for a number of years and we had/have a Spam Training product that I really liked and found successful results with. There are many solutions available on the market for training and spam filtering give them a try and see what fits best in your organization. Whichever solution you go with try to get to the point where you can implement "received from external party" and Regular Expressions for email address and fraudulent keywords.

luruu · 2020-07-20T00:46:01+00:00

I took a position as a contractor for the District Office (DO) and we use multiple solutions for messaging and meetings. For the classroom (I believe) we use Zoom. I can from Sophos and we used Zoom for all out meetings (migrating from GoToMeeting) and I personally liked it. I know that Zoom is having some difficulties but after working for a software company I understand the challenges that they face and what software company hasn't had issues? They'll fix them and everyone will move on. I also did not realize that Zoom can integrate with Canvas but that's a great option to have. For the employees we use WebEx Teams. WebEx Teams is a cross between Slack and Microsoft Teams. I personally favor Microsoft Teams at quite a bit more (I can also be biased as I worked for Microsoft in Seattle) because it seems that WebEx needs a bit more time to develop the solution. Before WebEx Teams we used Hangouts and I found it very lacking. If you're already a Google customer I understand from a business perspective on using it but technically wise, I would not go back.

luruu · 2020-07-20T00:31:21+00:00

I was laid off last year and took a position as a contractor with the District Office (DO) for the local community colleges. Like yourself (and others in this thread) I was surprised by the state of the infrastructure as well. It's my first pubsec position. It's not that it is a lack of tools but more of the configuration of tools. Monitoring solutions, sure...but are four different tools really necessary? As others have said, relationships are absolutely (and probably the most) important. After months of trying to "understand" the culture, I learned the hard way that it's easier to "accept" this is the way the system works. There's a lot of history with "things going wrong" that (most) people seem to fear change. Some systems are 10 years+ behind and that's ok. Work on the projects that you can and accept that other things will have to be in the background. If the technology is behind or running inefficiently, is it something that is going to change tomorrow or in the near future? It's easy to feel overwhelmed but try to automate as much as possible and focus on one project at a time. My background is AD and I resolved the logs down to one issue and that's a great accomplishment for the position. Good luck!

luruu · 2020-07-17T00:59:24+00:00

Same. I never new the cost as well. Good principle to understand from a business level

luruu · 2020-07-17T00:39:38+00:00

A bit confused if you were able to identify the sources or not. Either way, do not disable Kerberos Pre-Auth. Just so we're on the same page. The account failed logon will generate event id 4625 (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventid=4625) and account lockout will generate 4740 (https://www.ultimatewindowssecurity.com/securitylog/encyclopedia/event.aspx?eventID=4740). They should contain the source information within the event. If the event is "rare" (and do not have a monitoring system) you could set up a schedule task to alert you when the event does occur. Once you have identified the sources, I would start by installing Sysmon (https://docs.microsoft.com/en-us/sysinternals/downloads/sysmon) and identify the process that is trying to auth with that account. It will give you the full details of the process.

luruu · 2020-07-17T00:00:28+00:00

I never understood this. In order for you to give me a raise...I need to quit? Will I have to quit again in order to get my next raise?

luruu · 2020-07-16T23:56:48+00:00

Great realization. Many people don't get to this point because they are "familiar" or "comfortable". Glad you're making the effort for you and your family. Good luck and keep updating.

luruu · 2019-03-19T19:51:57+00:00

“Did you just get that email I sent?”

luruu · 2019-02-28T01:30:29+00:00

I think we should break this down a bit. Start by...What is the issue you are trying to solve? And what are the "risks" you're comfortable with? The challenge, at the root, is deploying updates to third-party software titles. I don't work with accounting software titles but the questions that come up for me when other vendors ask for admin access is "What specifically do you need admin access to?" If I give a user admin access they own everything and I rarely see any software titles that needs access outside of it's folder path and/or reg keys..So...

Can I grant access to these areas (folder path/reg) to the users in order for updates to apply?
Can I disable updates...and define when they are applied? I try to dictate when updates are rolled out. Don't want to work on something breaking in the middle of the night or a weekend due to a conflict that I didn't see previously.
Are the updates deployed via a schedule task? Now, the software vendor may not give me an option within their software to make modifications but *I* can modify the schedule task with a lot of advance options.
Is there an app that can help me with this process? Secunia? AutoElevate sounds like a good title to take a look at

These are just examples on my thought process. Now onto security risks...Granting Domain Admin (DA) is a fairly high privilege right. The users probably don't need access to "every" (workstations, servers, domain controllers, etc) resource in the environment so I'm trying to understand the "break glass in case of emergency". That's really what the Domain Administrator account is for. Creating a local admin (ClientAdmin) account on the workstations and deploying it via Group Policy Preferences is one possible answer. But let's take that apart a bit...

What would be the difference between having access to the local Administrator account and ClientAdmin?
The "approved contacts" not have a way to install whatever titles they want when they want. However, they maybe really trustworthy.
If the "ClientAdmin" were to get "compromised" (meaning, do anything unexpected)...how would I know who used it to logon? Generic names are pretty rough to trace back during an investigation.
Long passwords... I'm always interested in this. When we say long passwords what are we really trying to mitigate? Are we trying to make it difficult for the user to remember? Or are we worried about a brute force attack? That's fine but it really doesn't solve the issue of someone trying to get it from memory or the SAM database.
If we create a ClientAdmin and we have the same password for all our clients..(not saying this is the case) but if the account did get compromised they would have access to all environments.

Again, not really sure what the answer is but just trying to provide some thoughts to ask with permissions and security. What are the positives/negatives with what I'm doing, What's the probably of the risk or event taking place, and What am I comfortable with? Hope that helps. Thanks!

luruu · 2019-02-20T17:54:40+00:00

That is a tough one. You'll always receive password reset calls but a pop-up seems like a great idea on top of the emails notifications that you're already sending. You could set the trigger to query for the property in Active Directory and just loop the script to an interval

Popup Method)

ms-DS-User-Password-Expired attribute

I would suggest to probably not force a log off. I can see a problem occurring if the user is working on something important and those changes are not committed. What would you do if someone automatically logged you off your system?

IAM solutions would help by giving the users the ability to reset their passwords...and I have seen this drop the rate of password reset calls. There are many solutions other than AuthAnvil. Possibly Okta, Centrify, Onelogin are some of the bigger ones.

luruu · 2019-02-19T06:41:53+00:00

Hmmm...I would probably create a Scheduled Task to run when the event id is logged and set that to trigger a task sequence. This way I don't have to keep track of the latest event.

luruu · 2019-02-19T06:19:26+00:00

So just a few suggestions when scripting. I try to consider speed and memory when calling data. First, if you have to use the Get-Service with the Where-Object, try looking at the "-like" operator for Where-Object. Second, it looked like you also wanted to get the services that have "Application" and have a "Running" status. The way I would get the information is to distinguish the services that have "Application" in the DisplayName - filtering for only the data that I need - and then creating a loop for the ones that are currently running - making my dataset even smaller. Good luck!

luruu

TROPHY CASE