SysAdmin MAGAZINE

Active Directory
Handy Guides
 Contents SysAdmin Magazine July 2022

SysAdmin Contents
Magazine

71
3 What are FSMO Roles in Active Directory?
July ‘22
№
12 What Is a Global Catalog Server?

16 Active Directory Certificate Services: Risky Settings

SysAdmin Magazine is a free
source of knowledge for IT Pros
and How to Remediate Them
who are eager to keep a tight
grip on network security and do 20 Active Directory Object Recovery Using the Recycle Bin
the job faster.

25 How to: Restore Deleted AD Objects

26 Tool of the Month: Netwrix PolicyPak

The Sysadmin Magazine team

sysadmin.magazine@netwrix.com

2
 Contents SysAdmin Magazine July 2022

What are FSMO

these situations through a special set of roles. Microsoft In a multi-domain environment, each domain will have its
has begun referring to these roles as the operations mas- own Infrastructure Master, RID Master and PDC Emulator.
ter roles, but they are more commonly referred to by their When a new domain is added to an existing forest, only

Roles in Active original name: flexible single-master operator (FSMO) roles. those three domain-level FSMO roles are assigned to the ini-
tial domain controller in the newly created domain; the two

Directory?
enterprise-level FSMO roles (Schema Master and Domain
Naming Master) already exist in the forest root domain.
What are FSMO Roles?
Schema Master
Kevin Joyce The 5 FSMO Roles
Senior Technical Product Manager at Netwrix Schema Master is an enterprise-level FSMO role; there is
Active Directory has five FSMO roles: only one Schema Master in an Active Directory forest.

▪ Schema Master The Schema Master role owner is the only domain con-
Active Directory (AD) allows object creations, updates and
▪ Domain Naming Master troller in an Active Directory forest that contains a writable
deletions to be committed to any authoritative domain
▪ Infrastructure Master schema partition. As a result, the DC that owns the Sche-
controller (DC). This is possible because every DC (except
▪ Relative ID (RID) Master ma Master FSMO role must be available to modify its for-
read-only DCs) maintains a writable copy of its own domain’s
▪ PDC Emulator est’s schema. Examples of actions that update the schema
partition. Once a change has been committed, it is repli-
include raising the functional level of the forest and up-
cated automatically to other DCs through a process called In every forest, there is a single Schema Master and a single
grading the operating system of a DC to a higher version
multi-master replication. This behavior allows most opera- Domain Naming Master. In each domain, there is one Infra-
than currently exists in the forest.
tions to be processed reliably by multiple domain control- structure Master, one RID Master and one PDC Emulator.
lers and provides for high levels of redundancy, availability At any given time, there can be only one DC performing the The Schema Master role has little overhead and its loss
and accessibility in Active Directory. functions of each role. Therefore, a single DC could be run- can be expected to result in little to no immediate opera-
ning all five FSMO roles; however, in a single-domain envi- tional impact. Indeed, unless schema changes are neces-
An exception applies to certain Active Directory operations ronment, there can be no more than five servers that run sary, it can remain offline indefinitely without noticeable
that are sensitive enough that their execution is restricted the roles. effect. The Schema Master role should be seized only when
to a specific domain controller. Active Directory addresses the DC that owns the role cannot be brought back online.

3
 Contents SysAdmin Magazine July 2022

Bringing the Schema Master role owner back online after RID Master a considerable length of time because of a relatively low
the role has been seized from it can introduce serious data volume of object creation events. Bringing a RID Master
Relative Identifier Master (RID Master) is a domain-level
inconsistency and integrity issues for the forest. back online after having seized its role can introduce du-
role; there is one RID Master in each domain in an Active
plicate RIDs into the domain, so this role should be seized
Directory forest.
only if the DC that owns it cannot be brought back online.
Domain Naming Master The RID Master role owner is responsible for allocating ac-
tive and standby Relative Identifier (RID) pools to DCs in its
Domain Naming Master is an enterprise-level role; there
domain. RID pools consist of a unique, contiguous range Infrastructure Master
is only one Domain Naming Master in an Active Directory
of RIDs, which are used during object creation to generate
forest. Infrastructure Master is a domain-level role; there is one
the new object’s unique Security Identifier (SID). The RID
Infrastructure Master in each domain in an Active Directo-
The Domain Naming Master role owner is the only domain Master is also responsible for moving objects from one
ry forest.
controller in an Active Directory forest that is capable of domain to another within a forest.
adding new domains and application partitions to the for- The Infrastructure Master synchronizes objects with the
In mature domains, the overhead generated by the RID
est. Its availability is also necessary to remove existing do- global catalog servers. The Infrastructure Master will com-
Master is negligible. Since the primary domain controller
mains and application partitions from the forest. pare its data to a global catalog server’s data and receive
(PDC) in a domain typically receives the most attention
any data not found in its database from the global cata-
The Domain Naming Master role has little overhead and its from administrators, leaving this role assigned to the do-
log server. If all DCs in a domain are also global catalog
loss can be expected to result in little to no operational im- main PDC helps ensure its availability. It is also important
servers, then all DCs will have up-to-date information (as-
pact, since the addition and removal of domains and parti- to ensure that existing DCs and newly promoted DCs, es-
suming that replication is functional). In such a scenario,
tions are performed infrequently and are rarely time-criti- pecially those promoted in remote or staging sites, have
the location of the Infrastructure Master role is irrelevant
cal operations. Consequently, the Domain Naming Master network connectivity to the RID Master and are reliably
since it doesn’t have any real work to do.
role should need to be seized only when the DC that owns able to obtain active and standby RID pools.
the role cannot be brought back online. The Infrastructure Master role owner is also responsible
The loss of a domain’s RID Master will eventually lead to
for managing phantom objects. Phantom objects are used
result in an inability to create new objects in the domain
to track and manage persistent references to deleted ob-
as the RID pools in the remaining DCs are depleted. While
jects and link-valued attributes that refer to objects in an-
it might seem that unavailability of the DC owning the RID
other domain within the forest (e.g., a local-domain securi-
Master role would cause significant operational disruption,
ty group with a member user from another domain).
in mature environments the impact is usually tolerable for

4
 Contents SysAdmin Magazine July 2022

The Infrastructure Master may be placed on any domain cerns, the PDCE registers as the target DC for legacy ap- ensures that passwords can reliably be processed even
controller in a domain unless the Active Directory forest plications that perform writable operations and certain if recent changes have not fully propagated through
includes DCs that are not global catalog hosts. In that case, administrative tools that are unaware of the multi-mas- scheduled replication. The PDCE is also responsible for
the Infrastructure Master must be placed on a domain ter behavior of Active Directory DCs. processing account lockouts, since all failed password
controller that is not a global catalog host. authentications are passed to the PDCE.
▪ Time synchronization. Each PDCE serves as the mas-
ter time source within its domain. The PDCE in forest ▪ Group Policy updates. All Group Policy object (GPO)
The loss of the DC that owns the Infrastructure Master role
root domain serves as the preferred Network Time updates are committed to the domain PDCE. This pre-
is likely to be noticeable only to administrators and can be
Protocol (NTP) server in the forest. The PDCE in every vents versioning conflicts that could occur if a GPO was
tolerated for an extended period. While its absence will
other domain within the forest synchronizes its clock to modified on two DCs at approximately the same time.
result in the names of cross-domain object links failing to
the forest root PDCE; non-PDCE DCs synchronize their
resolve correctly, the ability to utilize cross-domain group ▪ Distributed file system. By default, distributed file sys-
clocks to their domain’s PDCE; and domain-joined hosts
memberships will not be affected. tem (DFS) root servers will periodically request updated
synchronize their clocks to their preferred DC. One ex-
DFS namespace information from the PDCE. While this
ample of the importance of time synchronization is Ker-
behavior can lead to resource bottlenecks, enabling
beros authentication: Kerberos authentication will fail
PDC Emulator the Dfsutil.exe Root Scalability parameter will allow DFS
if the difference between a requesting host’s clock and
root servers to request updates from the closest DC.
The Primary Domain Controller Emulator (PDC Emulator the clock of the authenticating DC exceeds the speci-
or PDCE) is a domain-level role; there is one PDCE in each fied maximum (5 minutes by default); this helps count- The PDCE should be placed on a highly-accessible, well-con-
domain in an Active Directory forest. er certain malicious activities, such as replay attacks. nected, high-performance DC. Additionally, the forest root
domain PDC Emulator should be configured with a reliable
The PDC Emulator controls authentication within a domain, ▪ Password update processing. When computer and
external time source.
whether Kerberos v5 or NTLM. When a user changes their user passwords are changed or reset by a non-PDCE do-
password, the change is processed by the PDC Emulator. main controller, the committed update is immediately While the loss of the DC that owns the PDC Emulator role
replicated to the domain’s PDCE. If an account attempts can be expected to have an immediate and significant im-
The PDCE role owner is responsible for several crucial op-
to authenticate against a DC that has not yet received pact on operations, the seizure of the PDCE role has fewer
erations:
a recent password change through scheduled replica- implications to the domain than the seizure of other roles.
▪ Backward compatibility. The PDCE mimics the sin- tion, the request is passed to the domain PDCE, which Seizure of the PDCE role is a recommended best practice
gle-master behavior of a Windows NT primary domain will process the authentication request and instruct the if the DC that owns that role becomes unavailable due to
controller. To address backward compatibility con- requesting DC to either accept or reject it. This behavior an unscheduled outage.

5
 Contents SysAdmin Magazine July 2022

Identifying Role Owners Transferring FSMO Roles

You can use either the command prompt or PowerShell to FSMO roles often remain assigned to their original domain controllers, but they can be transferred if necessary. Since FSMO
identify FSMO role owners. roles are necessary for certain important operations and they are not redundant, it can be desirable or even necessary to move
FSMO roles from one DC to another.
Command Prompt
One method of transferring a FSMO role is to demote the DC that owns the role, but this is not an optimal strategy. When a
DC is demoted, it will attempt to transfer any FSMO roles it owns to suitable DCs in the same site. Domain-level roles can be
netdom query fsmo /domain:<DomainName>
transferred only to DCs in the same domain, but enterprise-level roles can be transferred to any suitable DC in the forest. While
there are rules that govern how the DC being demoted will decide where to transfer its FSMO roles, there is no way to directly
control where its FSMO roles will be transferred.
PowerShell
The ideal method of moving an FSMO role is to actively transfer it using either the Management Console, PowerShell or ntdsutil.
exe. During a manual transfer, the source DC will synchronize with the target DC before transferring the role.
(Get-ADForest).Domains | `

To transfer an FSMO role, an account must have the following privileges:

ForEach-Object{ Get-ADDomainController
-Server $_ -Filter {OperationMasterRoles To transfer this FSMO The account must be a member of
-like "*"}} | `

Schema Master Schema Admins and Enterprise Admins

Select-Object Domain, HostName, Opera-
tionMasterRoles Domain Naming Master Enterprise Admins

PDCE, RID Master or Infrastructure Master Domain Admins in the domain where the role is being
transferred

6
 Contents SysAdmin Magazine July 2022

Right-click the Active Directory Schema node and select

How to Transfer FSMO Roles using the Management Console Change Active Directory Domain Controller. Choose the
DC that the Schema Master FSMO role will be transferred to
and click OK to bind the Active Directory Schema snap-in to
Transferring the Schema Master Role
that DC. (A warning may appear explaining that the snap-in
The Schema Master role can be transferred using the Active Directory Schema Management snap-in. will not be able to make changes to the schema because it
is not connected to the Schema Master.)
If this snap-in is not among the available Management Console snap-ins, it will need to be registered. To do so, open an elevated
command prompt and enter the command regsvr32 schmmgmt.dll. Right-click the Active Directory Schema node again and select
Operations Master. Then click the Change button to begin
Once the DLL has been registered, run the Management Console as a user who is a member of the Schema Admins group, and add
the transfer of the Schema Master role to the specified DC:
the Active Directory Schema snap-in to the Management Console:

7
 Contents SysAdmin Magazine July 2022

Transferring the Domain Naming Master Role Right-click the Active Directory Domains and Trusts node
and select Change Active Directory Domain Controller.
The Domain Naming Master role can be transferred using the Active Directory Domains and Trusts Management Console snap-in.
Choose the DC that the Domain Naming Master FSMO role
Run the Management Console as a user who is a member of the Enterprise Admins group, and add the Active Directory Domains will be transferred to, and click OK to bind the Active Direc-
and Trusts snap-in to the Management Console: tory Domains and Trusts snap-in to that DC.

Right-click the Active Directory Domains and Trusts node

again and select Operations Master. Click the Change but-
ton to begin the transfer of the Domain Naming Master role
to the selected DC:

8
 Contents SysAdmin Magazine July 2022

Transferring the RID Master, Infrastructure Master or PDC Emulator Role Right-click either the Domain node or the Active Directory
Users and Computers node and select Change Active
The RID Master, Infrastructure Master and PDC Emulator roles can all be transferred using the Active Directory Users and Computers
Directory Domain Controller. Choose the domain
Management Console snap-in.
controller that the FSMO role will be transferred to and click
OK button to bind the Active Directory Users and Computers
Run the Management Console as a user who is a member of the Domain Admins group in the domain where the FSMO roles are
snap-in to that DC.
being transferred and add the Active Directory Users and Computers snap-in to the Management Console:

Right-click the Active Directory Users and Computers node

and click Operations Masters. Then select the appropriate
tab and click Change to begin the transfer of the FSMO role
to the selected DC:

9
 Contents SysAdmin Magazine July 2022

5. At the server connections prompt, type connect to serv- ronment. The reintroduction of a FSMO role owner follow-
How to Transfer FSMO Roles using er <DC> (replacing <DC> with the hostname of the DC ing the seizure of its roles can cause significant damage to

PowerShell that the FSMO role is being transferred to) and press En- the domain or forest. This is especially true of the Schema

ter. This will bind ntdsutil to the specified DC. Master and RID Master roles.

You can transfer FSMO roles using the following PowerShell 6. Type quit and press Enter.
To seize FSMO roles, you can use the Move-ADDirectory-
cmdlet: 7. At the fsmo maintenance prompt, enter the appropriate
ServerOperationMasterRole cmdlet with the Force pa-
command for each FSMO role being transferred:
rameter. The cmdlet will attempt an FSMO role transfer; if
▪ transfer schema master
Move-ADDirectoryServerOperationMas- that attempt fails, it will seize the roles.
▪ transfer naming master
terRole -Identity TargetDC -Operation-
▪ transfer rid master
MasterRole pdcemulator, ridmaster,
▪ transfer infrastructure master
infrastructuremaster, schemamaster, do-
mainnamingmaster
▪ transfer pdc
8. To exit the fsmo maintenance prompt, type quit and
How Netwrix Can Help
press Enter. As we have seen, FSMO roles are important for both
9. To exit the ntdsutil prompt, type quit and press Enter. business continuity and security. Therefore, it’s vital to audit
all changes to your FSMO roles. Netwrix Auditor for Active

How to Transfer FSMO Roles using Directory automates this monitoring and can alert you to

Seizing FSMO Roles

any suspicious change so you can take action before it leads
ntdsutil.exe to downtime or a data breach.

To transfers an FSMO role using ndtsutil.exe, take the fol- Transferring FSMO roles requires that both the source DC However, FSMO roles are just one part of your security
lowing steps: and the target DC be online and functional. If a DC that strategy — you need to understand and control what is
owns one or more FSMO roles is lost or will be unavailable happening across your core systems. Netwrix Auditor for
1. Open an elevated command prompt. Active Directory goes far beyond protecting FSMO roles and
for a significant period, its FSMO roles can be seized, rather
2. Type ntdsutil and press Enter. A new window will open. facilitates strong management and change control across
than transferred.
3. At the ntdsutil prompt, type roles and press Enter. Active Directory.
4. At the fsmo maintenance prompt, type connections In most cases, FSMO roles should be seized only if the origi-
and press Enter. nal FSMO role owner cannot be brought back into the envi-

10
 Contents SysAdmin Magazine July 2022

By automating Active Directory change tracking and re-

porting, Netwrix Auditor empowers you to reduce security
risks. You can improve your security posture by proactive-
ly identifying and remediating toxic conditions like directly
assigned permissions, before attackers can exploit them
GUIDE
to gain access to your network resources. Moreover, you
can monitor changes and other activity in Active Directory
FREE GUIDE
changes to spot emerging problems and respond to them
promptly — minimizing the impact on business processes,
user productivity and security. Active Directory
Delegated
Permissions Best
Practices
Free Download

11
 Contents SysAdmin Magazine July 2022

How a Global Catalog Works

What Is a Global
user account is a member of, which will be included in
the generated user access token. The DC must access a
global catalog server to obtain the following:

Catalog Server? - User principal name resolution. Logon requests

Active Directory Partitions
made using a user principal name (e.g., “user-
To understand how the global catalog works, it is important
name@domain.com”) require a search of the glob-
to first understand a little bit about how the Active
al catalog to identify the distinguished name of the
Directory database is structured. Domain controllers store
associated user object.
Kevin Joyce the Active Directory database in a single file, NTDS.dit. To
Senior Technical Product Manager at Netwrix - Universal group membership. Logon requests
simplify administration and facilitate efficient replication,
made in multi-domain environments require the
the database is logically separated into partitions.
use of a global catalog that can check for the exis-
The global catalog is a feature of Active Directory (AD) that tence of any universal groups and determine if the Every domain controller maintains at least three partitions:
allows a domain controller (DC) to provide information on user logging on is a member of any of those groups.
▪ The domain partition contains information about a
any object in the forest, regardless of whether the object Because the global catalog is the only source of uni-
domain’s objects and their attributes. Every DC contains
is a member of its domain. Domain controllers with the versal group membership information, access to a
a complete writable replica of its local domain partition.
global catalog feature enabled are referred to as global global catalog server is a requirement for authenti-
▪ The configuration partition contains information
catalog servers. cation in a multi-domain forest.
about the forest’s topology, including domain controllers
and site links. Every DC in a forest maintains a complete
▪ Object Search. The global catalog makes the directory
writable replica of the configuration partition.
Core Functionality structure within a forest transparent to users who
perform a search. For example, any global catalog server
▪ The schema partition is a logical extension of the
configuration partition; it contains definitions of every
in a forest is capable of identifying a user object given
Global catalog servers perform several functions, which are object class in the forest and the rules that control the
only the object’s samAccountName. Without a global
especially important in a multi-domain forest environment: creation and manipulation of those objects. Every DC
catalog server, identifying a user object given only its
in a forest maintains a complete replica of the schema
▪ Authentication. During an interactive domain logon, a samAccountName could require separate searches of
partition. The schema partition is read-only on every DC
DC will process the authentication request and provide every domain in the forest.
except the DC that owns the Schema Master operations
authorization information regarding all of the groups the
role for the forest.

12
 Contents SysAdmin Magazine July 2022

Domain controllers may also maintain application

partitions. These partitions contain information relating
Global Catalog Partitions
to AD-integrated applications and can contain any type of
Consider a forest that consists of three domains, each with one global catalog server, as depicted below:
object except for security principals. Application partitions
have no specific replication requirements; they are not
required to replicate to other domain controllers but can
be configured to replicate to any DC in a forest.

You can identify the partitions present on a DC using the

following PowerShell cmdlet:

Get-ADDomainController -Server <SERVER> |

Select-Object -ExpandProperty Partitions

13
 Contents SysAdmin Magazine July 2022

As explained earlier, every DC maintains a replica of its

local domain partition, the configuration partition and
the schema partition. In a multi-domain forest like this
one, global catalog servers also host an additional set of
read-only partitions, each of which contains a partial, read-
only replica of the domain partition from one of the other
domains in the forest. It is the information in these partial,
read-only partitions that allow global catalog servers to
process authentication and forest-wide search requests in
a multi-domain forest.

The subset of object attributes that are replicated to global

catalog servers is called the Partial Attribute Set (PAS).
The members of the Partial Attribute Set in a domain can
be listed using this PowerShell cmdlet:

Get-ADObject -SearchBase (Get-ADRootDSE).

SchemaNamingContext -LDAPFilter "(isMem-
berOfPartialAttributeSet=TRUE)" -Prop-
erties lDAPDisplayName | Select lDAPDis-
playName

In a single-domain forest, all DCs host the only domain Active Directory takes advantage of this by allowing any domain controller in a single-domain forest to function as a virtual global
partition in the forest; therefore, each one contains a catalog server, regardless of whether it has been configured as a global catalog server. The only limitation is that only DCs config-
record of all of the objects in the forest and can process ured as global catalog servers can respond to queries directed specifically to a global catalog.
authentication and domain service requests.

14
 Contents SysAdmin Magazine July 2022

cate with a global catalog server to process initial logons

Deploying Global Catalog and perform search requests.

Servers It is recommended that all DCs be configured as global

catalog servers unless there is a specific reason to avoid
When a new domain is created, the first DC will be made a GUIDE
doing so.
global catalog server. To configure additional DCs as global
catalog servers, either enable the Global Catalog checkbox
in the server’s NTDS Settings properties in the Active Direc-
tory Sites and Services management console, or use the fol- FREE EBOOK
lowing PowerShell cmdlet:

Set-ADObject -Identity (Get-ADDomainCon-

Active Directory
troller -Server <SERVER>).NTDSSettingsOb-
jectDN -Replace @{options='1'}
Tutorial
Free Download
Each site in the forest should contain at least one global
catalog server to eliminate the need for an authenticating
DC to communicate across the network to retrieve glob-
al catalog information. In situations where it is not feasi-
ble to deploy a global catalog server in a site (such as a
small remote branch office), Universal Group Membership
Caching can reduce authentication-related network traffic
and allow the remote site’s DC to process local site login
requests using cached universal group membership infor-
mation. This feature requires the remote DC to communi-

15
 Contents SysAdmin Magazine July 2022

Active Directory Background

Authentication Based EKUs

Certificate
First, look for Enhanced Key Usages (EKUs) that enable any
When an authentication-based certificate is issued to an kind of domain-level authentication. Here is a brief list:
identity, the certificate can be used to authenticate as the

Services: Risky identity set in the Subject Alternative Name (SAN); this is
usually a UPN or DNS name. The certificate is then used in
•
•
Any Purpose (2.5.29.37.0)
SubCA (None)

Settings and How

lieu of a password for initial authentication. The technical • Client Authentication (1.3.6.1.5.5.7.3.2)
reference for this initial authentication is RFC4556 if you • PKINIT Client Authentication (1.3.6.1.5.2.3.4)
want to find out more detail. • Smart Card Logon (1.3.6.1.4.1.311.20.2.2)

to Remediate Them Once an authenticated-based certificate has been issued, it

The easiest way to manually find all of your certificate
templates that allow this is to open the Certificate Authority
can be used to authenticate as the subject until it is revoked
MMC Snap-in, connect to your Certificate Authority, look
or expired. This will circumvent incident response plans that
Joe Dibley at the Certificate Template section and scan the Intended
rely on strategies like resetting the user’s password to kick
Security Researcher at Netwrix Purpose Column for any of these authentication EKUs. For
out an attacker; the attacker can have persistent access to
example, the figure below shows that the Computer, Copy
the account unless the certificates are also revoked.
of Smartcard Logon and both Domain Controller templates
Active Directory Certificate Services has been around for a
contain at least one of the PKUs.
long time, but resources for learning it are not great. As a
result, it often has misconfigurations that are an increasing

Risky Template Settings

After you address the templates you find, be sure to keep
vector for attacks. In fact, SpecterOps released a whitepaper
in mind that there are ways to abuse normal certificates as
detailing a number of misconfigurations and potential attacks
well. For example, PoshADCS’s Get-SmartCardCertificate
and providing hardening advice. In this article, I cover several
function can modify a template, request certificates for it
of the settings that be misconfigured and how to spot them, Here are some of the certificate template settings that can
and then revert the changes to the template.
offer several options for further hardening security, and lead to misconfigurations.
explain how to use a free tool to check your environment.

16
 Contents SysAdmin Magazine July 2022

Alternatively, you can use a PowerShell command like the

following to get the templates from AD and check whether
the flag is set in the certificate:

Get-ADobject -Filter { ObjectClass -eq

"PKIcertificateTemplate" } -SearchBase
(Get-ADRootDSE).ConfigurationNamingCon-
text -prop * | Select Name, mspki-certifi-
cate-name-flag, @{ Name = "SupplyInRequest"
; Expression = { $_.'mspki-certifi-
“Enrollee Supplies Subject” Flag cate-name-flag' -band 0x00000001 } }

When the flag CT_FLAG_ENROLLEE_SUPPLIES_SUBJECT is present in the mspki-certificate-name-flag property, the enrollee of the
certificate can supply their own alternative Subject Name in the certificate signing request. This means that any user who is allowed
to enroll in a certificate with this setting can request a certificate as any user in the network, including a privileged user.

You can check this flag in the Certificate Template console; it’s under the Subject Name tab as the “Supply in the request” radio Further Reducing Risk
option:
In addition to correcting certificate misconfigurations,
consider using the following options to control the issuing
of certificates.

CA Certificate Manager Approval or

Authorized Signatures
First and probably most important, look at the Issuance

17
 Contents SysAdmin Magazine July 2022

Requirements tab on each certificate to see if it requires of users who shouldn’t be able to request certificates; if
you find them, consider revoking their Enroll or AutoEnroll
EDITF_ATTRIBUTESU
BJECTALTNAME2 Registry
approval from the Certificate Authority (CA) manager or
one or more authorized permissions.

Key
Last, check the EDITF_ATTRIBUTESUBJECALTNAME2
registry setting. This setting is one of the most interesting:
If is enabled on the CA, then any authenticated-based
certificate that is issued (including certificates where the
subject is automatically built from Active Directory) can
have user-defined values in the SAN.
Enabling one or both of these settings can greatly reduce
risk by requiring checks before certificates are issued. If you
To check this setting, you can run this command:
are unsure about requiring authorized signatures, at least
require CA certificate manager approval; then every time a
certificate is requested, it will go to the Certificate Authority certutil –getreg policy\EditFlags

for manual review before being issued.

If EDITF_ATTRIBUTESUBJECALTNAME2 is in the output list,

you should remove it using this command:
Enrollment Permissions
Second, look at the enrollment permissions in each certutil -config "CA CONNECTION STRING"
template, which can be found on the Security tab. Many -setreg policy\EditFlags - EDITF_ATTRI-
misconfigurations are critical only when generic principals BUTESUBJECTALTNAME2м
or large groups have these permissions. In particular, check
for Authenticated Users, Domain Users and any large group
Further guidance on this setting can be found here.

18
 Contents SysAdmin Magazine July 2022

Checking for Risky

Settings using PSPKIAudit
The PSPKIAudit tool can help you audit your PKI
infrastructure. To use PSPKIAudit, simply download the
tool from GitHub, import the module and run the Invoke-
PKIAudit command. This will enumerate the Certificate FREE GUIDE
Authority from Active Directory and then query it for some

Active Directory
of the default options.

Below are a couple of screenshots showing the output

of this tool, which reveals a misconfigured certificate and
misconfigurations on the CA. If PSPKIAudit picks up any
Security Best
misconfigurations not covered in this post, check the
SpecterOps paper for remediation advice.
Practices

Free Download

19
 Contents SysAdmin Magazine July 2022

Active Directory Active Directory Object Recovery without the AD Recycle Bin

Object Recovery
In a domain without the AD Recycle Bin, when an Active Directory object is deleted, it becomes a “tombstone.” This object, stripped
of the majority of its attributes, is kept in the partition’s Deleted Objects container for the time period specified in the domain’s

Using the Recycle

tombstoneLifetime. During this period, the object is technically recoverable, but its lost attributes can be generally considered to
be irrecoverable. Once the tombstoneLifetime value is reached, the object is garbage-collected into non-existence. This lifecycle
is illustrated below:

Bin
Kevin Joyce
Senior Technical Product Manager at Netwrix

The Active Directory Recycle Bin facilitates the recovery

of deleted Active Directory objects without requiring res-
toration from backup, restarting Active Directory Domain
Services or rebooting domain controllers (DCs). Let’s re-
view how object recovery works without the Recycle Bin. Active Directory Object Recovery with the AD Recycle Bin
If the AD Recycle Bin is enabled, when an object in deleted, the majority of its attributes, including its link-valued attributes, are
preserved for a period of time to facilitate restoring the object if needed. During this period, the object is in a deleted object state.
(This time period is defined in the msDS-DeletedObjectLifetime attribute. By default, its value is the value of the tombstoneLifetime
attribute. If the value of the msDS-deletedObjectLifetime attribute is null or the attribute simply doesn’t exist, its value is interpreted
to be the value of the tombstoneLifetime attribute. If there’s also no tombstoneLifetime value, both values default to 60 days.)

20
 Contents SysAdmin Magazine July 2022

Once the object’s time in a deleted object state is up, the object becomes a recycled object. A recycled object looks suspiciously like Here is a user account that I am planning to delete:
a tombstone with an isRecycled attribute slapped on and set to TRUE. Like a tombstone, the majority of its attributes are removed
and it persists in Active Directory for the time period specified by the tombstoneLifetime attribute. Then, it is cleaned up by Active
Directory’s garbage collection.

The lifecycle of an object deleted with the Recycle Bin enabled looks like this:

How Restoring an Object from the Recycle

While the Recycle Bin preserves more object attributes than a tombstone, a restored object is not identical to the original object.
Let’s see how.

21
 Contents SysAdmin Magazine July 2022

Here is the object in the deleted object state in the Recycle Bin: While the majority of the object’s attributes are retained,
there are some important changes:

▪ The object has been moved. The object has been

moved into the partition’s Deleted Objects container.

▪ The object has been renamed. The object’s name has

been updated using the Common-NameADEL:Object-
Guid

▪ The object possesses some new attributes. The

isDeleted attribute has a value of TRUE and the
lastKnownParent attribute is populated. A new
attribute, msDS-LastKnownRDN, is populated with the
object’s last known relative distinguished name (this
attribute allows the Recycle Bin to properly reset an
object’s RDN during its restoration, even if the object’s
renaming resulted in the truncation of the original RDN).

▪ Two attributes have been removed. Two attributes,

objectCategory and sAMAccountType, are always
removed from an object when it is deleted. If the object
is recovered, the objectCategory value is automatically
set to the most specific value in the object’s objectClass
attribute and the sAMAccountType value is calculated
from the value of either the userAccountControl (for
user objects) or groupType attribute (for group objects).

Keen-eyed readers might also notice that the manager and

memberOf attributes are also missing from my screenshot.

22
 Contents SysAdmin Magazine July 2022

They’re actually just hiding. Both these attributes are link-

valued (i.e., they contain references to other objects) and
tool I used (LDP) doesn’t return deactivated links unless
the cleverly-named Return Deactivated Links control has
been set. If I had enabled that control the attributes and
their values would have been visible in my screenshot, but I
would have missed out on this teachable moment.

How to Recover an Object

from the AD Recycle Bin
Prior to Windows Server 2012, restoring an object from the
AD Recycle Bin required using an LDAP tool or PowerShell to
list all deleted objects, sifting through a long list to find the
desired object, and restoring it using another PowerShell
command. It was a good thing the AD Recycle Bin was so
useful because it was not exactly fun to use!

Now, Recycle Bin functionality is available in the Active

Directory Administrative Center: As you can see, you can quickly find the deleted object you’re interested in using the search filters.

To restore an object, simply click Restore in the Tasks list on the right side of the window. Here’s what the restored object looks
like:

23
 Contents SysAdmin Magazine July 2022

▪ Active Directory is going to be a little bigger. After

enabling the AD Recycle Bin, deleted objects will retain
far more of their attributes and persist longer than
tombstones. As a result, Active Directory will likely use a
little more space than it did before.

▪ Enabling the Recycle Bin deletes all tombstones. The

most impactful consequence of enabling the Recycle Bin
is that all tombstone objects in the forest will immediately
cease to exist. Many admins have learned about this
consequence the hard way.

However, these issues do not outweigh the benefits of

enabling the AD Recycle Bin.

How Netwrix Can Help

Drawbacks to the Active Directory Recycle Bin The AD Recycle Bin is a useful tool for recovering recently
deleted objects. For a more comprehensive solution, con-
While the Recycle Bin dramatically simplifies object recovery, we have seen a couple of limitations: Objects are kept for only a fairly
sider Netwrix StealthRECOVER. It provides additional se-
short period of time and some of their attributes are lost. There are a couple of additional drawbacks to the Recycle Bin:
curity by enabling you to restore backed-up objects that
▪ Enabling the Active Directory Recycle Bin involves a schema change. Therefore, once you turn the Recycle Bin on you can’t have exceeded their forest’s mdDS-DeletedObjectLifetime
turn it off without a full-forest recovery. and therefore are no longer recoverable using the AD Re-
cycle Bin.

24
 Contents SysAdmin Magazine July 2022

How-to for IT Pro Restore an Object with the Active

Directory Administrative Center
HOW TO: RESTORE DELETED AD OBJECTS (ACUC)
The Active Directory Recycle Bin is disabled by default. In 1. Open the Server Manager management console ->
order to use it to restore deleted objects, you must enable Click Tools -> Active Directory Administrative Center
it. You cannot restore any objects deleted before Recycle (Alternatively: Open the “run” box (click Start -> Run or
Bin was enabled. Note that Recycle Bin can be enabled only use the Win-R keyboard shortcut) -> Type dsac.exe ->
once without a possibility to disable it afterwards. Click OK.) Restore an Object using PowerShell
2. In the left pane of the ADUC,select the domain in Alternatively, you can restore an AD object using the Re-
Prerequisite: Enable the Recycle Bin which the deleted object resided. In the center pane, store-ADObject PowerShell cmdlet:
in Active Directory select the Deleted Objects container:
Get-ADObject -Filter {displayName -eq "userdel tobegone"}
1. Open the Server Manager management console -> -IncludeDeletedObjects | Restore-ADObject
Click Tools -> Active Directory Administrative Center
(Alternatively: Open the “run” box (click Start -> Run or
use the Win-R keyboard shortcut) -> Type dsac.exe ->
Click OK.)

2. Click on your domain name. In the Tasks pane, click

Enable Recycle Bin.

3. In the confirmation window, click OK.

3. Select the deleted object. Then do one of the following:
• To restore the object to its original container, click
Restore:

25
 Contents SysAdmin Magazine July 2022

Secure Endpoints and Boost Deploy software and custom OS settings to any Win-
dows endpoint, whether domain-joined, MDM enrolled
TOOL OF THE MONTH
Productivity or virtual

Netwrix PolicyPak enables you to solve your endpoint

management and endpoint protection challenges. The
tool provides a powerful policy creation, management
and deployment framework that extends the policy man-
agement, security, automation and reporting capabilities

Netwrix
of the endpoint management technologies you already
use.

PolicyPak
Prevent users from installing unknown software and
Manage and secure your on-premises, hybrid or remote
Request Demo manage how they use removable storage
desktop environment from a single solution

26
 Contents SysAdmin Magazine July 2022

[On-Demand Webinar]

Active Directory is leveraged by over 90% of enterprises worldwide as the authentication

Active Directory and authorization hub of their IT infrastructure— but its inherent complexity leaves it prone
to misconfigurations that can allow attackers to slip into your network and wreak havoc. To

Masterclass: AD reduce risk, you need to ensure your AD is clean, configured properly, monitored closely and
controlled tightly. Netwrix is eager to help you achieve these goals.

Configuration Strategies ▪ Whether you should upgrade your domain controllers to Windows Server 2019 and beyond
▪ Achieving mission impossible: updating DCs within 48 hours

for Stronger Security ▪ How to disable legacy protocols and outdated compatibility options in Active Directory
▪ How to better secure service accounts with gMSAs and least privilege
▪ The AD Tier Model as a goal and the Protected Users group as an easy fix

Sander Berkouwer Alex McCoy

Enterprise Mobility MVP Security enthusiast/Podcaster Watch Now

27
 About Netwrix
What did you think Netwrix is a software company that enables information security and governance professionals to reclaim control over
of this issue? sensitive, regulated and business-critical data, regardless of where it resides.
What did you think of this content?
Over 11500 organizations worldwide rely on Netwrix solutions to secure sensitive data, realize the full business value of
enterprise content, pass compliance audits with less effort and expense, and increase the productivity of IT teams and
knowledge workers.

For more information visit www.netwrix.com

CORPORATE HEADQUARTER: PHONES: OTHER LOCATIONS:

300 Spectrum Center Drive 1-949-407-5125 Spain: +34 911 982608 Switzerland: +41 43 508 3472 Hong Kong: +852 5808 1306
Suite 200 Irvine, CA 92618 Toll-free (USA): 888-638-9749 Italy: +39 02 947 53539
Netherlands: +31 858 887 804 France: +33 9 75 18 11 19

Sweden: +46 8 525 03487 Germany: +49 711 899 89 187

565 Metro Place S, Suite 400 1-201-490-8840
Dublin, OH 43017

5 New Street Square +44 (0) 203 588 3023 SOCIAL: netwrix.com/social
London EC4A 3TW