Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Who is talking to my Domain Controller

Posted on 2015-02-13
4
Medium Priority
?
148 Views
Last Modified: 2015-02-16
I do not control my entire environment, and it is very possible that someone has setup an application to query my DC's (This specific DC by name, yes yes I know, bad practice) LDAP for authentication and Authorization.  Now I need to rebuild my DC.  I need to know what other computers out there are using this DC.  I would really like your thoughts.
My thoughts;
netstat -aon, and evaluate all the IP's found
Event logs (which ones?)
Wire shark
Windows Firewall logs (currently off, other protections in place)
???
0
Comment
Question by:loftyworm
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
4 Comments
 
LVL 80

Accepted Solution

by:
arnold earned 1200 total points
ID: 40608422
look at port 389 and 636 connections specifically.

Do you have ADFS setup

Look at the security log.
Check with all parties.

If you try to look at only who connects, you might miss those who might be cyclical.
0
 
LVL 53

Assisted Solution

by:Will Szymkowski
Will Szymkowski earned 600 total points
ID: 40608480
I would highly recommend looking at the below Active Directory Team blog on how to monitor ldap and kerberos connections. This is displayed with screenshots and also using performance monitor using data collector sets.

http://blogs.technet.com/b/askpfeplat/archive/2013/12/16/domain-and-dc-migrations-how-to-monitor-ldap-kerberos-and-ntlm-traffic-to-your-domain-controllers.aspx

As you have stated you can also use wireshark which is a low level trace of the packets based on ports. If you are familiar with this software is it also a great tool to use.

Will.
0
 
LVL 17

Assisted Solution

by:Tony Massa
Tony Massa earned 200 total points
ID: 40609427
+1 For Wills info, but there could be an easier way if you are looking for LDAP-based application authentication/authorization, specifically:
http://codeidol.com/community/ad/enabling-inefficient-and-expensive-ldap-query-logg/2294/

If you want to see all the LDAP queries that are being sent to a domain controller, a quick way to do that would be to set the 15 Field Engineering setting to 5 and Expensive Search Results Threshold to 0. This would cause the domain controller to consider every search as expensive and log all the LDAP searches. While this can be very useful, you should use it with care as it could quickly fill your event log. Be sure to allow sufficient disk space for your Event Logs to avoid any issues with low disk space on your domain controllers.

You could then use PowerShell to pull the data from the event logs.
0
 
LVL 11

Author Closing Comment

by:loftyworm
ID: 40612485
TY all!
0

Featured Post

Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
A hard and fast method for reducing Active Directory Administrators members.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question