Microsoft Active Directory

Microsoft Corporation

Enterprise directory service for identity and access management, providing authentication, authorization, and policy enforcement across the county network

Active Windows Server 2019 On-Premise

System Overview

Product Name Active Directory Domain Services (AD DS)
Vendor Microsoft Corporation
Server Version Windows Server 2019
Forest Functional Level Windows Server 2016
Domain Name NORCOPA (Northampton County PA)
Domain Controllers 4 Domain Controllers
Total Objects ~3,000 (users, computers, groups)
Sites 12 physical locations

Domain Controller Topology

The county operates 4 domain controllers distributed across primary sites for redundancy and performance.

🖥️
DC01-ADMIN
Primary DC
FSMO Roles
🖥️
DC02-COURTHOUSE
Secondary DC
Read-Write
🖥️
DC03-EMERGENCY
DR Site
Backup FSMO
🖥️
DC04-SERVICES
Services DC
Read-Write

Architecture Components

🏢
Domain Structure

  • Single forest, single domain
  • Organizational Units (OUs) by department
  • Delegated administration
  • OU-based Group Policy
  • Global Catalog replication

🔐
Authentication

  • Kerberos v5
  • NTLM (legacy fallback)
  • LDAP/LDAPS
  • Smart card support
  • Duo MFA integration

📋
Group Policy

  • Security policies
  • Software deployment
  • User settings
  • Password policies
  • Audit policies

📊
Directory Services

  • DNS integration
  • Certificate Services (PKI)
  • Federation Services (ADFS)
  • Rights Management
  • Azure AD Connect

Core Protocols

LDAP
Directory queries & modifications
Kerberos
Secure authentication
DNS
Name resolution & service location
SMB
File sharing & SYSVOL
DFSR
Distributed replication
RPC
Remote procedure calls

Windows Server 2022 Features

Planned upgrade path to Windows Server 2022 will provide these enhancements:

Secured-core Server

Hardware-rooted security with TPM 2.0, Secure Boot, and virtualization-based security.

TLS 1.3 Support

Latest security protocol enabled by default for encrypted communications.

Enhanced ADAC

Improved Active Directory Administrative Center for easier management.

Time-based Membership

Automated group membership changes based on time criteria.

PowerShell Cmdlets

New cmdlets for better automation of domain, user, and group management.

gMSA Improvements

Group Managed Service Accounts work with non-domain-joined hosts.

Known Vulnerabilities

CVE-2020-1472 (Zerologon)
Netlogon Elevation of Privilege
CVSS 10.0

Critical vulnerability in the Netlogon Remote Protocol allowing complete domain takeover without authentication.

Remediation: Apply August 2020 security update, enforce secure RPC
Status: ✓ Patched (verify enforcement mode)
CVE-2021-42278/42287
sAMAccountName Spoofing
CVSS 7.5

Privilege escalation via machine account spoofing, allowing domain admin access.

Remediation: Apply November 2021 security update
Status: ⚠ Review patch status

Security Configuration

Password Policy

  • Minimum 12 characters
  • Complexity requirements
  • 90-day maximum age
  • 24 password history
  • Account lockout: 5 attempts

Audit Policy

  • Logon/Logoff events
  • Account management
  • Directory service access
  • Policy changes
  • Privilege use

Sources