Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Save more on your purchases now! discount-offer-chevron-icon
Savings automatically calculated. No voucher code required.
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Conferences
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Active Directory Administration Cookbook, Second Edition

You're reading from   Active Directory Administration Cookbook, Second Edition Proven solutions to everyday identity and authentication challenges for both on-premises and the cloud

Arrow left icon
Product type Paperback
Published in Jul 2022
Publisher Packt
ISBN-13 9781803242507
Length 696 pages
Edition 2nd Edition
Languages
Tools
Arrow right icon
Author (1):
Arrow left icon
Sander Berkouwer Sander Berkouwer
Author Profile Icon Sander Berkouwer
Sander Berkouwer
Arrow right icon
View More author details
Toc

Table of Contents (18) Chapters Close

Preface 1. Chapter 1: Optimizing Forests, Domains, and Trusts 2. Chapter 2: Managing Domain Controllers FREE CHAPTER 3. Chapter 3: Managing Active Directory Roles and Features 4. Chapter 4: Managing Containers and Organizational Units 5. Chapter 5: Managing Active Directory Sites and Troubleshooting Replication 6. Chapter 6: Managing Active Directory Users 7. Chapter 7: Managing Active Directory Groups 8. Chapter 8: Managing Active Directory Computers 9. Chapter 9: Managing DNS 10. Chapter 10: Getting the Most Out of Group Policy 11. Chapter 11: Securing Active Directory 12. Chapter 12: Managing Certificates 13. Chapter 13: Managing Federation 14. Chapter 14: Handling Authentication in a Hybrid World (AD FS, PHS, PTA, and DSSO) 15. Chapter 15: Handling Synchronization in a Hybrid World (Azure AD Connect) 16. Chapter 16: Hardening Azure AD 17. Other Books You May Enjoy

Decommissioning a compromised read-only domain controller

One of the benefits of deploying read-only domain controllers is their ability to recover quickly from an information security breach.

Since only the passwords for a subset of users are cached on the read-only domain controller when these users signed on through the read-only domain controller and the passwords for really sensitive accounts weren't allowed to be cached on the read-only domain controller, the impact of a stolen read-only domain controller is small, compared to a fully writable domain controller.

How to do it...

To render the read-only domain controller useless to an attacker or thief, perform these steps:

  1. Press Start.
  2. Search for Active Directory Users and Computers and click its corresponding search result, or run dsa.msc. The Active Directory Users and Computers window appears.
  3. In the left navigation pane, expand the domain name.
  4. In the left navigation pane, expand the Domain Controllers OU.
  5. Right-click the compromised read-only domain controller and select Delete:
Figure 2.21 – Deleting a read-only domain controller in Active Directory Users and Computers

Figure 2.21 – Deleting a read-only domain controller in Active Directory Users and Computers

  1. In the Active Directory Domain Services pop-up window, click Yes to answer the Are you sure you want to delete the Computer? question.
  2. On the Deleting Domain Controller screen, select the Reset all passwords for user accounts that were cached on this Read-only Domain Controller option:
Figure 2.22 – The Deleting Domain Controller window

Figure 2.22 – The Deleting Domain Controller window

  1. Since the persons associated with the user accounts will be forced to have their passwords reset by service desk personnel, it's a recommended practice to also check the Export the list of accounts that were cached on this Read-only Domain Controller to this file option and to specify a file. This way, the service desk may proactively approach affected colleagues.
  2. Click Delete.
  3. In the Delete Domain Controller pop-up window, click OK.
  4. In the Delete Domain Controller pop-up window, click Yes to continue with this deletion.

How it works...

Each read-only domain controller caches the hashes of the passwords for users signing in through the read-only domain controller. For this functionality, the read-only domain controller contacts a writable domain controller.

When a user account is denied having its password cached, the password is not cached. For accounts on which the passwords have been cached, the best remedy is to reset these passwords.

Every Kerberos ticket that is given to devices or user accounts is encrypted using the separate krbtgt account for the read-only domain controller. These tickets are bound to the read-only domain controller. When the read-only domain controller is removed from the Active Directory domain, these Kerberos tickets become useless.

You have been reading a chapter from
Active Directory Administration Cookbook, Second Edition - Second Edition
Published in: Jul 2022
Publisher: Packt
ISBN-13: 9781803242507
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime