Windows 2012 domain controller best practices

In branch offices in which virtual domain controllers cannot run on separate physical hosts from the rest of the virtual server population, you should implement TPM chips and BitLocker Drive Encryption on hosts on which virtual domain controllers run at minimum, and all hosts if possible. Depending on the size of the branch office and the security of the physical hosts, you should consider deploying RODCs in branch locations.

If your infrastructure includes locations in which only a single physical server can be installed, a server capable of running virtualization workloads should be installed in the remote location, and BitLocker Drive Encryption should be configured to protect all volumes in the server.

One virtual machine on the server should run an RODC, with other servers running as separate virtual machines on the host. For more information about deploying and securing virtualized domain controllers, see Running Domain Controllers in Hyper-V. For more detailed guidance for hardening Hyper-V, delegating virtual machine management, and protecting virtual machines, see the Hyper-V Security Guide Solution Accelerator on the Microsoft website. You should run all domain controllers on the newest version of Windows Server that is supported within your organization and prioritize decommissioning of legacy operating systems in the domain controller population.

By keeping your domain controllers current and eliminating legacy domain controllers, you can often take advantage of new functionality and security that may not be available in domains or forests with domain controllers running legacy operating system.

As for any security-sensitive and single-purpose configuration, we recommend that you deploy the operating system in Server Core installation option. It provides multiple benefits, such as minimizing attack surface, improving performance and reducing the likelihood of human error. It is recommended that all operations and management are performed remotely, from dedicated highly secured endpoints such as Privileged access workstations PAW or Secure administrative hosts.

A number of freely available tools, some of which are installed by default in Windows, can be used to create an initial security configuration baseline for domain controllers that can subsequently be enforced by GPOs. These tools are described in Administer security policy settings section of Microsoft operating systems documentation.

Group Policy Objects that link to all domain controllers OUs in a forest should be configured to allow RDP connections only from authorized users and systems for example, jump servers. This can be achieved through a combination of user rights settings and WFAS configuration and should be implemented in GPOs so that the policy is consistently applied.

If it is bypassed, the next Group Policy refresh returns the system to its proper configuration. Although it may seem counterintuitive, you should consider patching domain controllers and other critical infrastructure components separately from your general Windows infrastructure. If you leverage enterprise configuration management software for all computers in your infrastructure, compromise of the systems management software can be used to compromise or destroy all infrastructure components managed by that software.

By separating patch and systems management for domain controllers from the general population, you can reduce the amount of software installed on domain controllers, in addition to tightly controlling their management. One of the checks that is performed as part of an Active Directory Security Assessment is the use and configuration of Internet Explorer on domain controllers.

Internet Explorer or any other web browser should not be used on domain controllers, but analysis of thousands of domain controllers has revealed numerous cases in which privileged users used Internet Explorer to browse the organization's intranet or the Internet. As previously described in the "Misconfiguration" section of Avenues to Compromise , browsing the Internet or an infected intranet from one of the most powerful computers in a Windows infrastructure using a highly privileged account which are the only accounts permitted to log on locally to domain controllers by default presents an extraordinary risk to an organization's security.

The methods discussed are based largely on the Microsoft Information Security and Risk Management ISRM organization's experience, which is accountable for protecting the assets of Microsoft IT and other Microsoft Business Divisions, in addition to advising a selected number of Microsoft Global customers. Executive Summary. Attractive Accounts for Credential Theft.

Reducing the Active Directory Attack Surface. Implementing Least-Privilege Administrative Models. Implementing Secure Administrative Hosts. Securing Domain Controllers Against Attack. Monitoring Active Directory for Signs of Compromise. Uninstalling the application or service is the recommended method.

Once you are done with taking the source domain controller offline in step 6, you can re-add the MSA using Install-ADServiceAccount when the server is back online. Group MSAs support cloning. The DcCloneConfig. Its contents allow you to specify unique details like the new computer name and IP address. The files require precise naming, formatting, and placement; otherwise, cloning fails.

For that reason, you should always use the Windows PowerShell cmdlets to create the XML files and place them in the correct location. You run the cmdlet on the proposed source domain controller that you intend to clone. The cmdlet supports multiple arguments and when used, always tests the computer and environment where it is run unless you specify the -offline argument.

String data type. Array data type. Up to four entries can be provided. There is no way to set Ipv6 static information in virtualized domain controller cloning. Has no parameters. Tests performed when run in online mode:. You cannot copy a running source DC; it must be shutdown gracefully.

Do not clone a domain controller stopped by graceless power loss. Stop-computer is a cmdlet that supports shutting down computers regardless of virtualization, and is analogous to the legacy Shutdown. The latter is useful in lab environments where the domain controller often operates on a private virtualized network. All of a virtual machine's disks must be copied, not just the system drive. If the source domain controller uses differencing disks and you plan to move your cloned domain controller to another Hyper-V host, you must export.

Copying disks manually is recommended if the source domain controller has only one drive. If copying files manually, delete any snapshots prior to copying. If exporting the VM, delete snapshots prior to exporting or delete them from the new VM after importing. Snapshots are differencing disks that can return a domain controller to previous state.

If you were to clone a domain controller and then restore its pre-cloning snapshot, you would end up with duplicate domain controllers in the forest. There is no value in prior snapshots on a newly cloned domain controller. Use the Hyper-V Manager snap-in to determine which disks are associated with the source domain controller. Use the Inspect option to validate if the domain controller uses differencing disks which requires that you copy the parent disk also. No special steps are required.

It is a best practice to change the file names even if moving to another folder. Combine with VM cmdlets in pipelines to aid automation. The pipeline is a channel used between multiple cmdlets to pass data. You cannot use passthru disks with cloning, as they do not use a virtual disk file but instead an actual hard disk. As an alternative to copying the disks, you can export the entire Hyper-V VM as a copy. Exporting automatically creates a folder named for the VM and containing all disks and configuration information.

Windows Server Hyper-V supports new export and import capabilities that are outside the scope of this training. Review TechNet for more information. The final option is to use the disk merge and conversion options within Hyper-V. Its lone advantage is that, unlike manually copying, it does not require you to first delete snapshots. This operation is necessarily slower than simply deleting the snapshots and copying disks.

Browse for the lowest child disk. For example, if you are using a differencing disk, the child disk is the lowest child. If the virtual machine has a snapshot or multiple ones , the currently selected snapshot is the lowest child disk.

Select the Merge option to create a single disk out of the entire parent-child structure. Select a new virtual hard disk and provide a path. To create a merged disk from a complex set of parents using the Hyper-V Windows PowerShell module, use cmdlet:. If you did copy the Dccloneconfig.

These paths are not configurable. After cloning begins, the cloning checks these locations in that specific order and uses the first DcCloneConfig. To create a clone domain controller named Clone2 in offline mode with static IPv4 and static IPv6 settings, type:. To create a clone domain controller named Clone1 in offline mode with dynamic IPv4 and static IPv6 settings, type:.

To create a clone domain controller in offline mode with dynamic IPv4 and dynamic IPv6 settings, type:. This requires installation of the Desktop Experience feature on Windows Server In the now-mounted drive, copy the XML files to a valid location.

You may be prompted for permissions to the folder. Click the mounted drive and click Eject from the Disk Tools menu. This allows you complete control over the process. For instance, the drive can be mounted with a specific drive letter, the file copied, and the drive dismounted. The final configuration step before starting the cloning process is creating a new VM that uses the disks from the copied source domain controller.

Depending on the selection made in the copying disks phase, you have two options:. If you copied the system disk manually, you must create a new virtual machine using the copied disk. If there were multiple disks, network adapters, or other customizations, configure them before starting the domain controller.