Solved

Who is talking to my Domain Controller

Posted on 2015-02-13
4
99 Views
Last Modified: 2015-02-16
I do not control my entire environment, and it is very possible that someone has setup an application to query my DC's (This specific DC by name, yes yes I know, bad practice) LDAP for authentication and Authorization.  Now I need to rebuild my DC.  I need to know what other computers out there are using this DC.  I would really like your thoughts.
My thoughts;
netstat -aon, and evaluate all the IP's found
Event logs (which ones?)
Wire shark
Windows Firewall logs (currently off, other protections in place)
???
0
Comment
Question by:loftyworm
4 Comments
 
LVL 77

Accepted Solution

by:
arnold earned 300 total points
ID: 40608422
look at port 389 and 636 connections specifically.

Do you have ADFS setup

Look at the security log.
Check with all parties.

If you try to look at only who connects, you might miss those who might be cyclical.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 150 total points
ID: 40608480
I would highly recommend looking at the below Active Directory Team blog on how to monitor ldap and kerberos connections. This is displayed with screenshots and also using performance monitor using data collector sets.

http://blogs.technet.com/b/askpfeplat/archive/2013/12/16/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers.aspx

As you have stated you can also use wireshark which is a low level trace of the packets based on ports. If you are familiar with this software is it also a great tool to use.

Will.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 50 total points
ID: 40609427
+1 For Wills info, but there could be an easier way if you are looking for LDAP-based application authentication/authorization, specifically:
http://codeidol.com/community/ad/enabling-inefficient-and-expensive-ldap-query-logg/2294/

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.

You could then use PowerShell to pull the data from the event logs.
0
 
LVL 11

Author Closing Comment

by:loftyworm
ID: 40612485
TY all!
0

Featured Post

Netscaler Common Configuration How To guides

If you use NetScaler you will want to see these guides. The NetScaler How To Guides show administrators how to get NetScaler up and configured by providing instructions for common scenarios and some not so common ones.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Is your Office 365 signature not working the way you want it to? Are signature updates taking up too much of your time? Let's run through the most common problems that an IT administrator can encounter when dealing with Office 365 email signatures.
This article explains the steps required to use the default Photos screensaver to display branding/corporate images
This video Micro Tutorial explains how to clone a hard drive using a commercial software product for Windows systems called Casper from Future Systems Solutions (FSS). Cloning makes an exact, complete copy of one hard disk drive (HDD) onto another d…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question