54
www.binarytitans.com Understanding Active Directory Level 100 Ashwin Venugopal BinaryTitans IT Solutions Pvt. Ltd. www.binarytitans.com
www.binarytitans.com
Understanding Active DirectoryLevel 100
Ashwin Venugopal
BinaryTitans IT Solutions Pvt. Ltd.
www.binarytitans.com
www.binarytitans.com
What we are going to Learn here?
www.binarytitans.com
Content
What is Directory Service?
Active Directory
History of Directory Service
Advantage of LDAP
Back to Active Directory
Naming conventions
DNS Naming Resolution
DNS
DNS Zone
DNS Zone Type
DNS Round Robin
DNS Queries & DNS Transfers
DNS & Active Directory
AD objects
AD Database
Schema
Domain, Tree and Forest
ACID Property of a Database
Active Directory Sites and Services
Active Directory Replication
Domain Controller
Global Catalog Server
Logical and Physical Components of Active Directory
FSMO Roles
Domain Functional Level
Forest Functional Level
Installing Active Directory (Windows Server 2012)
Part 1 Part 2
www.binarytitans.com
Understanding Active Directory Level 100
Part 1
www.binarytitans.com
What is Directory Service?
A directory service is a container that provides a hierarchicalstructure and allows to store objects for quick and easy access andmanipulation. A directory service is like an electronic phonedirectory that lets you search for Name and retrieve the phonenumber, address, or other information without knowing wherethat person lives.
Before directory services, If you needed a file, you needed to knowthe name of the file, the name of the server on which it is storedand its folder path. Now this works well on small network, but asthe network grows it becomes challenging.
Directory service is the means by which users and administratorscan locate resources regardless of where those resources arelocated.
Also earlier typical user could have more than one user account orpassword, and as the network grows and the number of usernameand password also increases, like one for File Server, one for emailserver, etc.
www.binarytitans.com
Active Directory
Active Directory is Microsoft’s answer to directory services and itdoes a lot more than just locating resources.
Active Directory take care of this by using KerberosAuthentication and Single Sign-On (SSO). SSO means ability ofKerberos to provide a user with one set of credentials and grantthem access across a range of resources and services with thatsame set of credentials. Kerberos authenticates the credentialsand issues the user a ticket with which the user gains access to theresources and services that support Kerberos.
Active Directory also makes user management more easier as itacts as a single repository for all of this user and computer relatedinformation.
www.binarytitans.com
History of Directory Service
Earlier to today’s directory services is X.500 specification thatemerged from the International Telecommunications Union (ITU),formerly the CCITT (Comité Consultatif International Téléphoniqueet Télégraphique).
X.500 sits at the Application layer in the OSI model. X.500 containseveral component databases that work together as a singleentity.
The primary database is the Directory Information Base (DIB),which stores information about the objects. Major limitation wasits lack of integration with Internet Protocol (IP).
Protocol it used was Directory Access Protocol, or DAP. DAPoffered more functionality than that is required for implementingdirectory services, so a scaled down version called LightweightDirectory Access Protocol (LDAP) was made. Later it wasconsidered as a standard by Internet Engineering Task Force(IETF).
www.binarytitans.com
Advantage of LDAP
LDAP relies on the TCP/IP stack rather than the OSI stack
Integrate with IP and enable IP clients to use LDAP to querydirectory services.
LDAP can perform hyper-searches. Giving one directory the abilityto defer to another to provide requested data.
LDAP’sAPI is C-based
Like X.500, LDAP uses an inverted-tree hierarchical structure
LDAP supports Kerberos authentication, Simple AuthenticationSecurity Layer (SASL), and Secure Sockets Layer (SSL)
Simple Authentication and Security Layer (SASL) is a frameworkfor authentication and data security in Internet protocols.
www.binarytitans.com
Back to Active Directory
AD is Microsoft’s answer to directory services and it does a lotmore than just locating resources.
AD uses LDAP as its access protocol.
AD relies on DNS as its locator service, enabling clients to locatedomain controllers through DNS queries.
Lets Understand Active Directory in more detail.
www.binarytitans.com
Naming Conventions
AD contains information about objects in your enterprise.
These objects can be computers, users, printers etc.
AD is a container with nested containers holding other containersor objects.
And we name these container and objects so that its easy to queryor search.
AD supports several Naming Conventions. User Principal Names, or UPN
LDAP names also known as Distinguished Name
www.binarytitans.com
User Principal NamesUPN
This one you’ll probably find most familiar, is as per RFC 822specification.
This has the same format as your email address: [email protected]
They take the form user@domain
If you have a user named User01 under Active Directory domainDomain01.local, the UPN will be [email protected]
Note: We will discuss more about AD domain later.
In AD you can create custom UPNs too, which means you can alsoadd [email protected] or [email protected] as UPN forabove mentioned object.
www.binarytitans.com
LDAP Names aka Distinguished Name
Typically it has this format
cn=common name
ou=organizational unit
dc=domain
cn=Ashwin,ou=Learning,dc=BinaryTitans,dc=com
And your query would look as below LDAP://BTSVRDCo1.binarytitans.com/cn=Ashwin,ou=Learning,dc=
binarytitans,dc=com
www.binarytitans.com
Naming Resolution
In today’s networks, you assign logical addresses, such as with IPaddressing.
Unfortunately, these addresses tend to be hard to remember,especially in the case of newer, more complicated IPv6 addresses.
Therefore, you need to use some form of naming service that willallow you to translate logical names, which are easier to remember,into logical addresses.
The most common naming service is Domain Name System, orDNS.
www.binarytitans.com
DNS
DNS is short for Domain Name System.
DNS is a hierarchical client/server-based distributed databasemanagement system that translates domain/hosts names to IPaddresses.
The top of the tree is known as the root domain.
Below the root domain, you will find top-level domains, such as.com, .edu, .org, and .net, as well as two-letter country codes, suchas .uk, .ca, and .us.
www.binarytitans.com
DNS Zones Zone is a collection of records which share similar naming pattern.
www.binarytitans.com
DNS Zones Types
When you define DNS zones, you create the zone as either: Forward lookup zone
A forward lookup zone is the most common type of zone. DNS clients canuse this zone to obtain such information as IP addresses that correspondto DNS domain names or services that is stored in the zone.
Reverse lookup zone.
Provides mapping from IP addresses back to DNS domain names.
www.binarytitans.com
DNS Round Robin
DNS servers use a mechanism called round-robin to share anddistribute loads for a network resource.
Round-robin rotates the order of resource records with the samename that point to different IP addresses.
www.binarytitans.com
DNS Queries&DNS Transfers
DNS queries and DNS transfers occur over TCP/UDP port 53.
So, if you have any firewall between servers (including firewallsrunning on the servers), you will need to open port 53.
www.binarytitans.com
DNS & Active Directory
DNS Server must support
Service resource (SRV) records
Dynamic update protocol specified by RFC 2136
AD relies on DNS as its primary locator service, although its not theonly mechanism for locating domain controllers (DCs).
Domain Controller is the server which has Active Directory Installed.
When a Domain Controller starts, it registers both its DNS name andNetBIOS name. More on NetBIOS name later.
It add LDAP-specific SRV records in DNS to enable LDAP clients tolocate DCs through LDAP queries.
It also add Kerberos authentication protocol-specific SRV records toenable clients to locate servers running the Kerberos Key DistributionCenter (KDC) service.
Also each DC also adds an A record that enables clients that don’tsupport SRV records to locate the DC through a simple host recordlookup.You can disable this if required.
www.binarytitans.com
Active Directory objects
Objects in AD can be either containers for other objects or theycan be leaf objects, which do not serve as containers.
Objects in AD have attributes, and these attributes not only definethe object but also store data. This defines the character of thatObject.
Some attributes and optional and some are mandatory.
Optional : Phone Number
Mandatory: Username
When an Object is created AD assigns a GUID, which is a 128-bitnumber and no two objects in AD have the same GUID.
And If an object is moved from AD, it doesn't delete its GUID
Objects in AD are protected by Access Control Lists (ACLs).
www.binarytitans.com
Active Directory objects
Objects in AD can be either containers for other objects or theycan be leaf objects, which do not serve as containers.
Objects in AD have attributes, and these attributes not only definethe object but also store data. This defines the character of thatObject.
Some attributes and optional and some are mandatory.
Optional : Phone Number
Mandatory: Username
When an Object is created AD assigns a GUID, which is a 128-bitnumber and no two objects in AD have the same GUID.
And If an object is moved from AD, it doesn't delete its GUID
Objects in AD are protected by Access Control Lists (ACLs).
www.binarytitans.com
Active Directory Database
The ESE comprises of tables that define the structure of thedirectory.
The Database Layer has three partition that define the contents ofAD with an optional 4th table or partition.
1. Schema Partition This stores Active Directory Schema.
Active Directory Schema defines what are the types of objects that canbe created in the directory
How are those objects relate to one another, and what are themandatory and optional attributes of each object.
And how can one create such objects.
2. Configuration Partition This contains configuration of AD.
3. Domain Partition This partition stores the objects.
4. Application Partition This is an optional 4th partition that an administrator can create.
www.binarytitans.com
Active Directory Schema
Active Directory Schema defines what are the types of objectsthat can be created in the directory
How are those objects relate to one another, and what are themandatory and optional attributes of each object.
And how can one create such objects.
Schema requires to updates whenever you need to create a newtype of object or add anything that requires new attribute.
www.binarytitans.com
Domain, Tree and Forest
AD Domain Objects that are made on AD are grouped into domains.
The objects for a single domain are stored in a singledatabase (which can be replicated).
AD Domain Tree A tree is a collection of one or more domains
AD Forest A forest is a collection of trees that share a common global
catalog, directory schema, logical structure, and directoryconfiguration.
www.binarytitans.com
Understanding Active Directory Level 100
Part 2
www.binarytitans.com
ACID Property of a Database
In computer science, ACID (atomicity, consistency,isolation, durability) is a set of properties thatguarantee that database transactions are processedreliably.
In the context of databases, a single logical operationon the data is called a transaction
www.binarytitans.com
ACID Property of a Database
Atomicity Atomicity requires that each transaction is "all or nothing": if one
part of the transaction fails, the entire transaction fails, and thedatabase state is left unchanged.
Consistency The consistency property ensures that any transaction will bring the
database from one valid state to another.
Isolation The isolation property ensures that the concurrent execution of
transactions results in a system state that could have been obtainedif transactions are executed serially, i.e. one after the other. Eachtransaction has to execute in total isolation.
Durability Durability means that once a transaction has been committed, it will
remain so, even in the event of power loss, crashes, or errors. Even ifthe database crashes it can be restored.
www.binarytitans.com
Active Directory Sites
Sites in Active Directory represent the physical structure, ortopology, of your network.
Managed using Active Directory Sites and Services Console.
Each Sites are connected by a Site link and each Site link has a costassociated.
www.binarytitans.com
Active Directory Replication
Intrasite Replication
Intersite Replication
www.binarytitans.com
Active Directory Replication
Intrasite Replication Happens between DC’s in the same site.
Replication happens 15 seconds after a change.
This happens automatically.
Intrasite topology is automatically generated by KCC(Knowledge consistency checker) which runs on every DC.
www.binarytitans.com
Active Directory Replication
Intersite Replication This is not created automatically. Administrator makes. Active Directory will automatically pick a Domain
Controller from each site to act as a Bridgehead server. Bridgehead servers replicate changes between the
sites. This is much efficient than every DCs attemptingto replicate to other sites.
When a change happens to the bridgehead serverchange is replicated to all other domain controllers innthat site.
Administer can manually select the bridgehead server,they are called preferred bridgehead server. If they areselected manually and if those DCs aren’t available noreplication will occur.
Each of these sites are connected each other by SiteLink.
www.binarytitans.com
Active Directory Replication
Site Link Determine the schedule of replication.
Allows to configure a cost
Cost determines at what priority these links should beused. Lower cost, higher priority
KCC running on bridge will act as ISTG (InterSiteTopology Generator.
Whenever a site link goes down, KCC creates a newInterSite Replication Topology. KCC runs every 15 mins.
www.binarytitans.com
Active Directory Replication
Transport Protocol
RPC over IP Supports every type of data replication required for Active
Directory
Synchronous
Used when the connectivity is reliable.
Always used for Intrasite replication.
SMTP Can replication everything other than file replication. Files –
Login Scripts and Group Policies.
Asynchronous
Used when the connectivity is unreliable.
RPC over IP is normally used in the real world.
www.binarytitans.com
Active Directory Replication
Multi Master Multi-master replication is a method of database
replication which allows data to be stored by a group ofcomputers, and updated by any member of the group.
Single Master Single-master replication is a method of database
replication which allows data to be stored by a group ofcomputers, but can only be updated by one member ofthe group.
www.binarytitans.com
Active Directory Commands
Replsummary operation quickly and concisely summarizes thereplication state and relative health of a forest.
repadmin /replsummary
Synchronizes a specified domain controller with all replicationpartners, and reports if the sync was successful or not
repadmin /syncall /e
repadmin /syncall /Aped
A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )
Forces the KCC on targeted domain controller(s) to immediatelyrecalculate its inbound replication topology
repadmin /kcc *
www.binarytitans.com
Active Directory Commands
Replsummary operation quickly and concisely summarizes thereplication state and relative health of a forest.
repadmin /replsummary
Find the last time your DCs were backed up, by reading theDSASignature attribute from all servers
Repadmin /showbackup *
Output all replication summary information from all DCs Repadmin /showrepl *
Displays inbound replication requests that the domain controllerhas to issue to become consistent with its source replicationpartners.
Repadmin / queue *
www.binarytitans.com
Active Directory Commands
List all the Domain Controllers in Active Directory DSQUERY Server -o rdn
Displays calls that have not yet been answered, made by thespecified server to other servers
repadmin /showoutcalls *
List the Topology information of all the bridgehead servers repadmin /bridgeheads * /verbose
Inter Site Topology Generator Report repadmin /istg * /verbose
www.binarytitans.com
Active Directory Commands
Displays a list of failed replication events detected by theKnowledge Consistency Checker (KCC).
repadmin /failcache *
Lists all domains trusted by a specified domain Repadmin /showtrust *
Displays the replication features for, a directory partition on adomain controller.
repadmin /bind *
Dcdiag analyzes the state of domain controllers in a forest orenterprise and reports any problems to help in troubleshooting
dcdiag /c /e /v
www.binarytitans.com
Domain Controller
Server which has Active Directory installed
Uses LDAP port 389 for communication
www.binarytitans.com
Global Catalog Server
The global catalog is a domain controller that contains asearchable, partial representation of every object in every domainin a multi domain Active Directory forest.
Uses non standard LDAP port 3268 for communication.
www.binarytitans.com
AD Database Layer
Directory System Agent (DSA) Layer The directory service component that runs as Ntdsa.dll on each domain
controller, providing the interfaces through which services and processesgain access to the directory database.
ESE Layer JetEngine
Database Layer Schema Partition
Config Partition
Domain Partition
Application Partition
www.binarytitans.com
AD Database Layer
LDAP Layer The primary interface for AD DS access. Directory clients use LDAP v3 to
connect to the DSA through the LDAP interface. The LDAP interface ispart of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2.
REPL Layer The replication management
interface.
SAM Layer Proprietary interface for
connecting to the DSA onbehalf of clients that runWindows NT 4.0 or earlier.
www.binarytitans.com
Logical and Physical Components of Active Directory
Logical Components Domain
OU
Objects
Global Catalog
Tree
Forest
Group Policy
Physical Components Domain Controller
Sites
Site Link
www.binarytitans.com
FSMO Roles aka Operations Roles
FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles)
Forest Wide Schema Master:
The schema master domain controller controls all updates andmodifications to the schema. Once the Schema update iscomplete, it is replicated from the schema master to all otherDCs in the directory. To update the schema of a forest, youmust have access to the schema master.
There can be only one schema master in the whole forest.
Domain naming master: The domain naming master domain controller controls the
addition or removal of domains in the forest. This DC is the onlyone that can add or remove a domain from the directory. It canalso add or remove cross references to domains in externaldirectories.
There can be only one domain naming master in the wholeforest.
www.binarytitans.com
FSMO Roles aka Operations Roles
FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles)
Domain Wide: Infrastructure Master:
When an object in one domain is referenced by another objectin another domain, it represents the reference by the SID andthe DN of the object being referenced. The infrastructureFSMO role holder is the DC responsible for updating an object'sSID and distinguished name in a cross-domain object reference.
At any one time, there can be only one domain controlleracting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by adomain controller that is not a Global Catalog server (GC). If theInfrastructure Master runs on a Global Catalog server it will stopupdating object information because it does not contain anyreferences to objects that it does not hold. This is because aGlobal Catalog server holds a partial replica of every object inthe forest.
www.binarytitans.com
FSMO Roles aka Operations Roles
FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles)
Domain Wide: Relative ID (RID) Master:
The RID master is responsible for processing RID pool requestsfrom all domain controllers in a particular domain. When a DCcreates a user or group, it attaches a unique Security ID (SID) tothe object. This SID consists of a domain SID (the same for allSIDs created in a domain), and a relative ID (RID) that is uniquefor each security principal SID created in a domain. Each DC in adomain is allocated a pool of RIDs that it is allowed to assign tothe security principals it creates. When a DC's allocated RID poolfalls below a threshold, that DC issues a request for additionalRIDs to the domain's RID master. The domain RID masterresponds to the request by retrieving RIDs from the domain'sunallocated RID pool and assigns them to the pool of therequesting DC.
At any one time, there can be only one domain controlleracting as the RID master in the domain.
www.binarytitans.com
FSMO Roles aka Operations Roles
FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles)
Domain Wide: PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. At anyone time, there can be only one domain controller acting as the PDCEmulator in each domain.
The PDC emulator role also does the following functions: Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of anincorrect password are forwarded to the PDC emulator before a badpassword failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always donefrom the GPO copy found in the PDC Emulator's SYSVOL share,unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a MicrosoftWindows NT 4.0 Server-based PDC or earlier PDC performs forWindows NT 4.0-based or earlier clients.
www.binarytitans.com
Domain Functional Level
Active Directory has functional levels at the domain andforest levels which determine which Active Directoryfeatures are available. The higher the functional level themore features available.
The different domain functional levels are: Windows 2000 native
Gives basic Active Directory functionality
Windows Server 2003
Allows the computer name of a domain controller to bechanged.
Adds last login time stamp to each user account
Adds UserPassword to iNetOrgPerson object. This is used whenmigrating from a 3rd party directory service. It allows the 3rdparty password to be stored in Active Directory.
Constrained delegation.
www.binarytitans.com
Domain Functional Level
Windows Server 2008 DFS for replication of SysVol share. Advanced Encryption System (AES) for Kerberos Additional last login details. Adds attributes like number of failed login
attempts. Fine-grained password. Allows multiple password policies to be defined in
the same domain.
Windows Server 2008 R2 Authentication Mechanism Assurance. Adds details to the Kerberos ticket
about how it was authenticated, e.g., if a SmartCard was used toauthenticate the user.
Automatic SPN (Service Principal Names) management.
Mixed or Interim Upgraded from an NT4 domain and may have some domain controllers that
are still NT4.
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
More Details
www.binarytitans.com
Forest Functional Level
Active Directory has functional levels at the domain andforest levels which determine which Active Directoryfeatures are available. The higher the functional level themore features available.
The different forest functional levels are: Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
More Details
www.binarytitans.com
Windows Server Administrator Jobs in India
www.binarytitans.com
Windows Server Administrator Jobs
Lets take a look at the leading Job Portals.
Naukri.com
Monster.com
Shine.com
www.binarytitans.com
Now willing to learn more?
Want this document offline? Click here.
Add your review here.
Ready To Deploy Training from BinaryTitans. Here we cover the following:
a. Installing and Configuring Windows Server 2012
b. Administering Windows Server 2012
c. Configuring Advanced Windows Server 2012 Services
d. Designing and Deploying Microsoft Exchange Server 2016
e. Cisco Certified Network Associate
To enroll, reach out to BinaryTitans Administration Team
+91 80 50158271
www.binarytitans.com
Thank you for reading
