UCF STIG Viewer Logo

AD implementation information must be added to the sites disaster recovery plans, including AD forest, tree, and domain structure.


Finding ID Version Rule ID IA Controls Severity
V-8525 DS00.6120_AD SV-30995r1_rule CODP-1 CODP-2 CODP-3 COEF-1 COEF-2 Low
When an incident occurs that requires multiple AD domain controllers to be rebuilt, it is critical to understand the AD hierarchy and replication flow so that the correct recovery sequence and configuration values can be selected. Without appropriate AD forest, tree and domain structural documentation, it may be impossible or very time consuming to reconstruct the original configuration.
Active Directory Domain Security Technical Implementation Guide (STIG) 2011-05-12


Check Text ( C-14103r2_chk )
1. Interview the IAO. Ask about the MAC levels of the system.

2. Determine the MAC level information for the AD Domain asset. If the asset is registered in VMS, this is available by using Asset Finding Maint. and navigating to the asset or by running an Asset Information (AS01) report for the location.

3. If the MAC level of the AD Domain is III, this check is not applicable.

4. Obtain a copy of the site’s disaster recovery planning documents.

5. Check the disaster recovery plans for documentation on the AD hierarchy (forest, tree, and domain structure).
(A chart showing forest hierarchy and domain names is the minimum suggested.)

6. If the disaster recovery plans that cover a MAC I or II level AD Domain do not include directory hierarchy information, then this is a finding.
Fix Text (F-15011r2_fix)
Update the disaster recovery plans to include directory service architecture details such as hierarchy and replication structure.