STIGQter: STIG Summary: Active Directory Domain Security Technical Implementation Guide (STIG) Version: 2 Release: 13 Benchmark Date: 26 Apr 2019:

Inter-site replication must be enabled and configured to occur at least daily.

DISA Rule

SV-30992r3_rule

Vulnerability Number

V-8553

Group Title

Replication Schedule

Rule Version

DS00.3230_AD

Severity

CAT II

CCI(s)

• CCI-000366 - The organization implements the security configuration settings.

Weight

10

Fix Recommendation

Maintain an Active Directory replication schedule that allows inter-site replication to occur at least on a daily basis.
Open "Active Directory Sites and Services". (Available from various menus or run "dssite.msc".)
Expand "Sites" in the left pane.
Expand "Inter-Site Transports" and select "IP".
For each site link that is defined in the right pane perform the following:
Right click the site link item and select "Properties".
Select an interval in the "Replicate every" field less than "1440". (By default this is 180.)
Click the Change Schedule button.
Select time frames for "Replication Available" to allow for replication to occur at least daily.

Check Contents

Open "Active Directory Sites and Services". (Available from various menus or run "dssite.msc".)
Expand "Sites" in the left pane.
If only a single site exists, this is NA. By default the first site in a domain is named "Default-First-Site-Name" but may have been changed.
If more than one site exists, expand "Inter-Site Transports" and select "IP".
For each site link that is defined in the right pane perform the following:
Right click the site link item and select "Properties".

If the interval on the "General" tab for the "Replicate every" field is greater than "1440", this is a finding.

Click the "Change Schedule" button.

If the time frames selected for "Replication Available" do not allow for replication to occur at least daily, this is a finding.

Click the Cancel buttons to exit.

Vulnerability Number

V-8553

Documentable

False

Rule Version

DS00.3230_AD

Severity Override Guidance

Open "Active Directory Sites and Services". (Available from various menus or run "dssite.msc".)
Expand "Sites" in the left pane.
If only a single site exists, this is NA. By default the first site in a domain is named "Default-First-Site-Name" but may have been changed.
If more than one site exists, expand "Inter-Site Transports" and select "IP".
For each site link that is defined in the right pane perform the following:
Right click the site link item and select "Properties".

If the interval on the "General" tab for the "Replicate every" field is greater than "1440", this is a finding.

Click the "Change Schedule" button.

If the time frames selected for "Replication Available" do not allow for replication to occur at least daily, this is a finding.

Click the Cancel buttons to exit.

Check Content Reference

M

Responsibility

Information Assurance Officer

Target Key

870

Comments