1. Understanding Kerberos Authentication
Kerberos was originally designed at MIT as a
secure method of authenticating users without actually sending a user
password across the network, encrypted or not. Being able to send a
password this way greatly reduces the threat of password theft because
malicious users can no longer seize a copy of the password as it
crosses the network and run brute-force attacks on the information to
decrypt it.
The actual functionality of Kerberos
is complicated, but essentially what happens is the computer sends an
information packet to the client that requires authentication. This
packet contains a “riddle” of sorts that can be answered only by the
user’s proper credentials. The user applies the “answer” to the riddle
and sends it back to the server. If the proper password was applied to
the answer, the user is authenticated. Although used in Windows Server
2012, this form of authentication is not proprietary to Microsoft and
is available as an Internet standard.
2. Taking Additional Security Precautions
AD DS implementations are, in
essence, as secure as the Windows Server 2012 environment in which they
run. The security of the AD DS structure can be increased through the
utilization of additional security precautions, such as secured
server-to-server communications using IPsec or the use of smart cards
or other encryption techniques. In addition, the user environment can
be secured through the use of group policies that can set parameter
changes such as user password restrictions, domain security, and logon
access privileges.
3. Restoring Deleted AD DS Objects Using the Active Directory Recycle Bin
The AD Recycle Bin was supported in
the Windows Server 2008 R2 version of AD DS, but was extremely
complicated to implement, and the administrative tools provided were
not easy to use. In Windows Server 2012, the AD Recycle Bin
functionality is now built in to the Active Directory Administration
Center (ADAC) and need only be enabled to start using the
functionality. A few prerequisites must be satisfied, however, before
the AD Recycle Bin can be enabled:
• The AD DS forest and domain must be
at least at Windows Server 2008 R2 functional level (or at Windows
Server 2012 functional level).
• Membership in the Enterprise Administrators group is required to enable the AD Recycle Bin.
• The process of enabling the AD Recycle Bin is nonreversible.
Enabling the AD Recycle Bin
To enable the Active Directory Recycle Bin, follow these steps:
1. Right-click Windows PowerShell, and then select Run as Administrator.
2. From the PowerShell prompt, type in dsac.exe to start the ADAC.
3. Click Manage - Add Navigation Nodes, and then select the target domain and click OK.
4. Next, select the
target domain and then under Tasks, click Enable Recycle Bin, and then
click OK and OK twice to accept the changes, as shown in Figure 1. Click F5 to refresh ADAC.
Figure 1. Enabling the AD Recycle Bin.
5. To validate that
the Recycle Bin is enabled, go to the CN=Partitions container, using an
editor such as ADSIEdit. In the details pane, find the
msDS-EnabledFeature attribute and confirm that the value includes the
Recycle Bin DN that you typed above.
Alternatively, you can enable the AD Recycle
Bin by using the following PowerShell command. Replace companyabc.com
and DC=companyabc,DC=com with the appropriate name of the domain where
the AD Recycle bin will be enabled.
Enable-ADOptionalFeature –Identity 'CN=Recycle Bin Feature,CN=Optional Features,
CN=Directory Service,CN=Windows
NT,CN=Services,CN=Configuration,DC=companyabc,DC=com' –Scope ForestOrConfiguration
Set –Target 'companyabc.com'
Recovering Deleted Items Using the AD Recycle Bin
Deleted objects can be restored directly from
ADAC, by looking in the Deleted Objects folder, which should be
displayed in the root of the domain. Just right-click the object and
select Restore, as shown in Figure 2.
Figure 2. Restoring a deleted AD object from the AD Recycle Bin.
