Improve company productivity with a Business Account.Sign Up

x
?
Solved

Who is talking to my Domain Controller

Posted on 2015-02-13
4
Medium Priority
?
179 Views
Last Modified: 2015-02-16
I do not control my entire environment, and it is very possible that someone has setup an application to query my DC's (This specific DC by name, yes yes I know, bad practice) LDAP for authentication and Authorization.  Now I need to rebuild my DC.  I need to know what other computers out there are using this DC.  I would really like your thoughts.
My thoughts;
netstat -aon, and evaluate all the IP's found
Event logs (which ones?)
Wire shark
Windows Firewall logs (currently off, other protections in place)
???
0
Comment
Question by:loftyworm
4 Comments
 
LVL 82

Accepted Solution

by:
arnold earned 1200 total points
ID: 40608422
look at port 389 and 636 connections specifically.

Do you have ADFS setup

Look at the security log.
Check with all parties.

If you try to look at only who connects, you might miss those who might be cyclical.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 600 total points
ID: 40608480
I would highly recommend looking at the below Active Directory Team blog on how to monitor ldap and kerberos connections. This is displayed with screenshots and also using performance monitor using data collector sets.

http://blogs.technet.com/b/askpfeplat/archive/2013/12/16/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers.aspx

As you have stated you can also use wireshark which is a low level trace of the packets based on ports. If you are familiar with this software is it also a great tool to use.

Will.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 200 total points
ID: 40609427
+1 For Wills info, but there could be an easier way if you are looking for LDAP-based application authentication/authorization, specifically:
http://codeidol.com/community/ad/enabling-inefficient-and-expensive-ldap-query-logg/2294/

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.

You could then use PowerShell to pull the data from the event logs.
0
 
LVL 11

Author Closing Comment

by:loftyworm
ID: 40612485
TY all!
0

Featured Post

What Kind of Coding Program is Right for You?

There are many ways to learn to code these days. From coding bootcamps like Flatiron School to online courses to totally free beginner resources. The best way to learn to code depends on many factors, but the most important one is you. See what course is best for you.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Transferring FSMO roles is done when an admin wants to split roles between certain Domain Controllers or the Domain Controller holding the Roles has been forcefully demoted using dcpromo / forceremoval
Sometimes it necessary to set special permissions on user objects.  For instance when using a Blackberry server, the SendAs permission needs to be set. I see many admins struggle with the setting that permission only to see it disappear within a few…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

589 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question