System Overview
| Product Name | Active Directory Domain Services (AD DS) |
|---|---|
| Vendor | Microsoft Corporation |
| Server Version | Windows Server 2019 |
| Forest Functional Level | Windows Server 2016 |
| Domain Name | NORCOPA (Northampton County PA) |
| Domain Controllers | 4 Domain Controllers |
| Total Objects | ~3,000 (users, computers, groups) |
| Sites | 12 physical locations |
Domain Controller Topology
The county operates 4 domain controllers distributed across primary sites for redundancy and performance.
Architecture Components
Domain Structure
- ✓ Single forest, single domain
- ✓ Organizational Units (OUs) by department
- ✓ Delegated administration
- ✓ OU-based Group Policy
- ✓ Global Catalog replication
Authentication
- ✓ Kerberos v5
- ✓ NTLM (legacy fallback)
- ✓ LDAP/LDAPS
- ✓ Smart card support
- ✓ Duo MFA integration
Group Policy
- ✓ Security policies
- ✓ Software deployment
- ✓ User settings
- ✓ Password policies
- ✓ Audit policies
Directory Services
- ✓ DNS integration
- ✓ Certificate Services (PKI)
- ✓ Federation Services (ADFS)
- ✓ Rights Management
- ✓ Azure AD Connect
Core Protocols
Windows Server 2022 Features
Planned upgrade path to Windows Server 2022 will provide these enhancements:
Secured-core Server
Hardware-rooted security with TPM 2.0, Secure Boot, and virtualization-based security.
TLS 1.3 Support
Latest security protocol enabled by default for encrypted communications.
Enhanced ADAC
Improved Active Directory Administrative Center for easier management.
Time-based Membership
Automated group membership changes based on time criteria.
PowerShell Cmdlets
New cmdlets for better automation of domain, user, and group management.
gMSA Improvements
Group Managed Service Accounts work with non-domain-joined hosts.
Known Vulnerabilities
Critical vulnerability in the Netlogon Remote Protocol allowing complete domain takeover without authentication.
Privilege escalation via machine account spoofing, allowing domain admin access.
Security Configuration
Password Policy
- ✓ Minimum 12 characters
- ✓ Complexity requirements
- ✓ 90-day maximum age
- ✓ 24 password history
- ✓ Account lockout: 5 attempts
Audit Policy
- ✓ Logon/Logoff events
- ✓ Account management
- ✓ Directory service access
- ✓ Policy changes
- ✓ Privilege use