Solved

Who is talking to my Domain Controller

Posted on 2015-02-13
4
83 Views
Last Modified: 2015-02-16
I do not control my entire environment, and it is very possible that someone has setup an application to query my DC's (This specific DC by name, yes yes I know, bad practice) LDAP for authentication and Authorization.  Now I need to rebuild my DC.  I need to know what other computers out there are using this DC.  I would really like your thoughts.
My thoughts;
netstat -aon, and evaluate all the IP's found
Event logs (which ones?)
Wire shark
Windows Firewall logs (currently off, other protections in place)
???
0
Comment
Question by:loftyworm
4 Comments
 
LVL 76

Accepted Solution

by:
arnold earned 300 total points
Comment Utility
look at port 389 and 636 connections specifically.

Do you have ADFS setup

Look at the security log.
Check with all parties.

If you try to look at only who connects, you might miss those who might be cyclical.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
Comment Utility
I would highly recommend looking at the below Active Directory Team blog on how to monitor ldap and kerberos connections. This is displayed with screenshots and also using performance monitor using data collector sets.

http://blogs.technet.com/b/askpfeplat/archive/2013/12/16/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers.aspx

As you have stated you can also use wireshark which is a low level trace of the packets based on ports. If you are familiar with this software is it also a great tool to use.

Will.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 50 total points
Comment Utility
+1 For Wills info, but there could be an easier way if you are looking for LDAP-based application authentication/authorization, specifically:
http://codeidol.com/community/ad/enabling-inefficient-and-expensive-ldap-query-logg/2294/

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.

You could then use PowerShell to pull the data from the event logs.
0
 
LVL 11

Author Closing Comment

by:loftyworm
Comment Utility
TY all!
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

9 Experts available now in Live!

Get 1:1 Help Now