UCF STIG Viewer Logo

When the domain supports a MAC I or II domain, the directory service must be supported by multiple directory servers.


Overview

Finding ID Version Rule ID IA Controls Severity
V-8524 DS00.6140_AD SV-30996r2_rule COTR-1 Medium
Description
In AD architecture, multiple domain controllers provide availability through redundancy. If an AD domain or servers within it are designated as MAC I or II and the domain is supported by only a single domain controller, an outage of that machine can prevent users from accessing resources on servers in that domain and in other AD domains.
STIG Date
Active Directory Domain Security Technical Implementation Guide (STIG) 2014-12-18

Details

Check Text ( C-14112r1_chk )
1. Determine the MAC level information for the directory server. If the asset is registered in VMS, this is available by using Asset Finding Maint. and navigating to the asset or by running an Asset Information (AS01) report for the location.

2. If the MAC level of the directory server is III, this check is not applicable.

3. Start the Active Directory Users and Computers console (Start, Run, “dsa.msc”).

4. Select and expand the left pane item that matches the name of the domain being reviewed.

5. Select the Domain Controllers [OU] item in the left pane.

6. Count the number of computers (objects) in the Domain Controllers OU.

7. If there is only one domain controller for a MAC I or II level domain, then this is a finding.
Fix Text (F-15019r1_fix)
When the domain supports a MAC I or II domain, the directory service will be supported by multiple directory servers.