Solved

Who is talking to my Domain Controller

Posted on 2015-02-13
4
125 Views
Last Modified: 2015-02-16
I do not control my entire environment, and it is very possible that someone has setup an application to query my DC's (This specific DC by name, yes yes I know, bad practice) LDAP for authentication and Authorization.  Now I need to rebuild my DC.  I need to know what other computers out there are using this DC.  I would really like your thoughts.
My thoughts;
netstat -aon, and evaluate all the IP's found
Event logs (which ones?)
Wire shark
Windows Firewall logs (currently off, other protections in place)
???
0
Comment
Question by:loftyworm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 78

Accepted Solution

by:
arnold earned 300 total points
ID: 40608422
look at port 389 and 636 connections specifically.

Do you have ADFS setup

Look at the security log.
Check with all parties.

If you try to look at only who connects, you might miss those who might be cyclical.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
ID: 40608480
I would highly recommend looking at the below Active Directory Team blog on how to monitor ldap and kerberos connections. This is displayed with screenshots and also using performance monitor using data collector sets.

http://blogs.technet.com/b/askpfeplat/archive/2013/12/16/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers.aspx

As you have stated you can also use wireshark which is a low level trace of the packets based on ports. If you are familiar with this software is it also a great tool to use.

Will.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 50 total points
ID: 40609427
+1 For Wills info, but there could be an easier way if you are looking for LDAP-based application authentication/authorization, specifically:
http://codeidol.com/community/ad/enabling-inefficient-and-expensive-ldap-query-logg/2294/

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.

You could then use PowerShell to pull the data from the event logs.
0
 
LVL 11

Author Closing Comment

by:loftyworm
ID: 40612485
TY all!
0

Featured Post

NEW Veeam Agent for Microsoft Windows

Backup and recover physical and cloud-based servers and workstations, as well as endpoint devices that belong to remote users. Avoid downtime and data loss quickly and easily for Windows-based physical or public cloud-based workloads!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

695 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question