Understanding Active Directory Level 100

Transcription

1 Understanding Active Directory Level 100 Ashwin Venugopal BinaryTitans IT Solutions Pvt. Ltd.

2 What we are going to Learn here?

3 Content What is Directory Service? Active Directory History of Directory Service Advantage of LDAP Back to Active Directory Naming conventions DNS Naming Resolution DNS DNS Zone DNS Zone Type DNS Round Robin DNS Queries & DNS Transfers DNS & Active Directory AD objects AD Database Schema Domain, Tree and Forest Part 1 Part 2 ACID Property of a Database Active Directory Sites and Services Active Directory Replication Domain Controller Global Catalog Server Logical and Physical Components of Active Directory FSMO Roles Domain Functional Level Forest Functional Level Installing Active Directory (Windows Server 2012)

4 Understanding Active Directory Level 100 Part 1

5 What is Directory Service? A directory service is a container that provides a hierarchical structure and allows to store objects for quick and easy access and manipulation. A directory service is like an electronic phone directory that lets you search for Name and retrieve the phone number, address, or other information without knowing where that person lives. Before directory services, If you needed a file, you needed to know the name of the file, the name of the server on which it is stored and its folder path. Now this works well on small network, but as the network grows it becomes challenging. Directory service is the means by which users and administrators can locate resources regardless of where those resources are located. Also earlier typical user could have more than one user account or password, and as the network grows and the number of username and password also increases, like one for File Server, one for server, etc.

6 Active Directory Active Directory is Microsoft s answer to directory services and it does a lot more than just locating resources. Active Directory take care of this by using Kerberos Authentication and Single Sign-On (SSO). SSO means ability of Kerberos to provide a user with one set of credentials and grant them access across a range of resources and services with that same set of credentials. Kerberos authenticates the credentials and issues the user a ticket with which the user gains access to the resources and services that support Kerberos. Active Directory also makes user management more easier as it acts as a single repository for all of this user and computer related information.

7 History of Directory Service Earlier to today s directory services is X.500 specification that emerged from the International Telecommunications Union (ITU), formerly the CCITT (Comité Consultatif International Téléphonique et Télégraphique). X.500 sits at the Application layer in the OSI model. X.500 contain several component databases that work together as a single entity. The primary database is the Directory Information Base (DIB), which stores information about the objects. Major limitation was its lack of integration with Internet Protocol (IP). Protocol it used was Directory Access Protocol, or DAP. DAP offered more functionality than that is required for implementing directory services, so a scaled down version called Lightweight Directory Access Protocol (LDAP) was made. Later it was considered as a standard by Internet Engineering Task Force (IETF).

8 Advantage of LDAP LDAP relies on the TCP/IP stack rather than the OSI stack Integrate with IP and enable IP clients to use LDAP to query directory services. LDAP can perform hyper-searches. Giving one directory the ability to defer to another to provide requested data. LDAP s API isc-based Like X.500, LDAP uses an inverted-tree hierarchical structure LDAP supports Kerberos authentication, Simple Authentication Security Layer (SASL), and Secure Sockets Layer (SSL) Simple Authentication and Security Layer (SASL) is a framework for authentication and data security in Internet protocols.

9 Back to Active Directory AD is Microsoft s answer to directory services and it does a lot more than just locating resources. AD uses LDAP as its access protocol. AD relies on DNS as its locator service, enabling clients to locate domain controllers through DNS queries. Lets Understand Active Directory in more detail.

10 Naming Conventions AD contains information about objects in your enterprise. These objects can be computers, users, printers etc. AD is a container with nested containers holding other containers or objects. And we name these container and objects so that its easy to query or search. AD supports several Naming Conventions. User Principal Names, orupn LDAP names also known as Distinguished Name

11 User Principal Names UPN This one you ll probably find most familiar, is as per RFC 822 specification. This has the same format as your address: Like They take the form If you have a user named User01 under Active Directory domain Domain01.local, the UPN will be User01@Domain01.Local Note: We will discuss more about AD domain later. In AD you can create custom UPNs too, which means you can also add User01@Domain01.com or User01@xyz.com as UPN for above mentioned object.

12 LDAP Names aka Distinguished Name Typically it has this format cn=common name ou=organizational unit dc=domain cn=ashwin,ou=learning,dc=binarytitans,dc=com And your query would look as below LDAP://BTSVRDCo1.binarytitans.com/cn=Ashwin,ou=Learning,dc= binarytitans,dc=com

13 Naming Resolution In today s networks, you assign logical addresses, such as with IP addressing. Unfortunately, these addresses tend to be hard to remember, especially in the case of newer, more complicated IPv6 addresses. Therefore, you need to use some form of naming service that will allow you to translate logical names, which are easier to remember, into logical addresses. The most common naming service is Domain Name System, or DNS.

14 DNS DNS is short for Domain Name System. DNS is a hierarchical client/server-based distributed database management system that translates domain/hosts names to IP addresses. The top of the tree is known as the root domain. Below the root domain, you will find top-level domains, such as.com,.edu,.org, and.net, as well as two-letter country codes, such as.uk,.ca, and.us.

15 DNS Zones Zone is a collection of records which share similar naming pattern.

16 DNS Zones Types When you define DNS zones, you create the zone as either: Forward lookup zone A forward lookup zone is the most common type of zone. DNS clients can use this zone to obtain such information as IP addresses that correspond to DNS domain names or services that is stored in the zone. Reverse lookup zone. Provides mapping from IP addresses back to DNS domain names.

17 DNS Round Robin DNS servers use a mechanism called round-robin to share and distribute loads for a network resource. Round-robin rotates the order of resource records with the same name that point to different IP addresses.

18 DNS Queries & DNS Transfers DNS queries and DNS transfers occur over TCP/UDP port 53. So, if you have any firewall between servers (including firewalls running on the servers), you will need to open port 53.

19 DNS & Active Directory DNS Server must support Service resource (SRV) records Dynamic update protocol specified by RFC 2136 AD relies on DNS as its primary locator service, although its not the only mechanism for locating domain controllers (DCs). Domain Controller is the server which has Active Directory Installed. When a Domain Controller starts, it registers both its DNS name and NetBIOS name. More on NetBIOS name later. It add LDAP-specific SRV records in DNS to enable LDAP clients to locate DCs through LDAP queries. It also add Kerberos authentication protocol-specific SRV records to enable clients to locate servers running the Kerberos Key Distribution Center (KDC) service. Also each DC also adds an A record that enables clients that don t support SRV records to locate the DC through a simple host record lookup.you can disable this if required.

20 Active Directory objects Objects in AD can be either containers for other objects or they can be leaf objects, which do not serve as containers. Objects in AD have attributes, and these attributes not only define the object but also store data. This defines the character of that Object. Some attributes and optional and some are mandatory. Optional : Phone Number Mandatory: Username When an Object is created AD assigns a GUID, which is a 128-bit number and no two objects in AD have the same GUID. And If an object is moved from AD, it doesn't delete its GUID Objects in AD are protected by Access Control Lists (ACLs).

21 Active Directory objects Objects in AD can be either containers for other objects or they can be leaf objects, which do not serve as containers. Objects in AD have attributes, and these attributes not only define the object but also store data. This defines the character of that Object. Some attributes and optional and some are mandatory. Optional : Phone Number Mandatory: Username When an Object is created AD assigns a GUID, which is a 128-bit number and no two objects in AD have the same GUID. And If an object is moved from AD, it doesn't delete its GUID Objects in AD are protected by Access Control Lists (ACLs).

22 Active Directory Database The ESE comprises of tables that define the structure of the directory. The Database Layer has three partition that define the contents of AD with an optional 4th table or partition. 1. Schema Partition This stores Active Directory Schema. Active Directory Schema defines what are the types of objects that can be created in the directory How are those objects relate to one another, and what are the mandatory and optional attributes of each object. And how can one create such objects. 2. Configuration Partition This contains configuration of AD. 3. Domain Partition This partition stores the objects. 4. Application Partition This is an optional 4th partition that an administrator can create.

23 Active Directory Schema Active Directory Schema defines what are the types of objects that can be created in the directory How are those objects relate to one another, and what are the mandatory and optional attributes of each object. And how can one create such objects. Schema requires to updates whenever you need to create a new type of object or add anything that requires new attribute.

24 Domain, Tree and Forest AD Domain Objects that are made on AD are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). AD Domain Tree A tree is a collection of one or more domains AD Forest A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration.

25 Understanding Active Directory Level 100 Part 2

26 ACID Property of a Database In computer science, ACID (atomicity, consistency, isolation, durability) is a set of properties that guarantee that database transactions are processed reliably. In the context of databases, a single logical operation on the data is called a transaction

27 Atomicity Atomicity requires that each transaction is "all or nothing": if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged. ACID Property of a Database Consistency The consistency property ensures that any transaction will bring the database from one valid state to another. Isolation The isolation property ensures that the concurrent execution of transactions results in a system state that could have been obtained if transactions are executed serially, i.e. one after the other. Each transaction has to execute in total isolation. Durability Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. Even if the database crashes it can be restored.

28 Active Directory Sites Sites in Active Directory represent the physical structure, or topology, of your network. Managed using Active Directory Sites and Services Console. Each Sites are connected by a Site link and each Site link has a cost associated.

29 Active Directory Replication Intrasite Replication Intersite Replication

30 Active Directory Replication Intrasite Replication Happens between DC s in the same site. Replication happens 15 seconds after a change. This happens automatically. Intrasite topology is automatically generated by KCC (Knowledge consistency checker) which runs on every DC.

31 Active Directory Replication Intersite Replication This is not created automatically. Administrator makes. Active Directory will automatically pick a Domain Controller from each site to act as a Bridgehead server. Bridgehead servers replicate changes between the sites. This is much efficient than every DCs attempting to replicate to other sites. When a change happens to the bridgehead server change is replicated to all other domain controllers inn that site. Administer can manually select the bridgehead server, they are called preferred bridgehead server. If they are selected manually and if those DCs aren t available no replication will occur. Each of these sites are connected each other by Site Link.

32 Active Directory Replication Site Link Determine the schedule of replication. Allows to configure a cost Cost determines at what priority these links should be used. Lower cost, higher priority KCC running on bridge will act as ISTG (InterSite Topology Generator. Whenever a site link goes down, KCC creates a new InterSite Replication Topology. KCC runs every 15 mins.

33 Active Directory Replication Transport Protocol RPC over IP Supports every type of data replication required for Active Directory Synchronous Used when the connectivity is reliable. Always used for Intrasite replication. SMTP Can replication everything other than file replication. Files Login Scripts and Group Policies. Asynchronous Used when the connectivity is unreliable. RPC over IP is normally used in the real world.

34 Active Directory Replication Multi Master Multi-master replication is a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group. Single Master Single-master replication is a method of database replication which allows data to be stored by a group of computers, but can only be updated by one member of the group.

35 Replsummary operation quickly and concisely summarizes the replication state and relative health of a forest. repadmin /replsummary Active Directory Commands Synchronizes a specified domain controller with all replication partners, and reports if the sync was successful or not repadmin /syncall /e repadmin /syncall /Aped A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name ) Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound replication topology repadmin /kcc *

36 Replsummary operation quickly and concisely summarizes the replication state and relative health of a forest. repadmin /replsummary Active Directory Commands Find the last time your DCs were backed up, by reading the DSASignature attribute from all servers Repadmin /showbackup * Output all replication summary information from all DCs Repadmin /showrepl * Displays inbound replication requests that the domain controller has to issue to become consistent with its source replication partners. Repadmin / queue *

37 List all the Domain Controllers in Active Directory DSQUERY Server -o rdn Active Directory Commands Displays calls that have not yet been answered, made by the specified server to other servers repadmin /showoutcalls * List the Topology information of all the bridgehead servers repadmin /bridgeheads * /verbose Inter Site Topology Generator Report repadmin /istg * /verbose

38 Displays a list of failed replication events detected by the Knowledge Consistency Checker (KCC). repadmin /failcache * Active Directory Commands Lists all domains trusted by a specified domain Repadmin /showtrust * Displays the replication features for, a directory partition on a domain controller. repadmin /bind * Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting dcdiag /c /e /v

39 Domain Controller Server which has Active Directory installed Uses LDAP port 389 for communication

40 Global Catalog Server The global catalog is a domain controller that contains a searchable, partial representation of every object in every domain in a multi domain Active Directory forest. Uses non standard LDAP port 3268 for communication.

41 Directory System Agent (DSA) Layer The directory service component that runs as Ntdsa.dll on each domain controller, providing the interfaces through which services and processes gain access to the directory database. AD Database Layer ESE Layer JetEngine Database Layer Schema Partition Config Partition Domain Partition Application Partition

42 LDAP Layer The primary interface for AD DS access. Directory clients use LDAP v3 to connect to the DSA through the LDAP interface. The LDAP interface is part of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2. AD Database Layer REPL Layer The replication management interface. SAM Layer Proprietary interface for connecting to the DSA on behalf of clients that run Windows NT 4.0 or earlier.

43 Logical and Physical Components of Active Directory Logical Components Domain OU Objects Global Catalog Tree Forest Group Policy Physical Components Domain Controller Sites Site Link

44 FSMO Roles aka Operations Roles FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles) Forest Wide Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

45 FSMO Roles aka Operations Roles FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles) Domain Wide: Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the SID and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.

46 FSMO Roles aka Operations Roles FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles) Domain Wide: Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

47 FSMO Roles aka Operations Roles FSMO Roles aka Operations Roles (Flexible Single Master Operations Roles) Domain Wide: PDC Emulator: The PDC emulator is necessary to synchronize time in an enterprise. At any one time, there can be only one domain controller acting as the PDC Emulator in each domain. The PDC emulator role also does the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator. Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. Account lockout is processed on the PDC emulator. Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator. The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

48 Domain Functional Level Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. The different domain functional levels are: Windows 2000 native Gives basic Active Directory functionality Windows Server 2003 Allows the computer name of a domain controller to be changed. Adds last login time stamp to each user account Adds UserPassword to inetorgperson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory. Constrained delegation.

49 Domain Functional Level Windows Server 2008 DFS for replication of SysVol share. Advanced Encryption System (AES) for Kerberos Additional last login details. Adds attributes like number of failed login attempts. Fine-grained password. Allows multiple password policies to be defined in the same domain. Windows Server 2008 R2 Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user. Automatic SPN (Service Principal Names) management. Mixed or Interim Upgraded from an NT4 domain and may have some domain controllers that are still NT4. Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 More Details

50 Forest Functional Level Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available. The different forest functional levels are: Windows 2000 Windows Server 2003 Windows Server 2008 Windows Server 2008 R2 Windows Server 2012 Windows Server 2012 R2 Windows Server 2016 More Details

51 Windows Server Administrator Jobs in India

52 Windows Server Administrator Jobs Lets take a look at the leading Job Portals. Naukri.com Monster.com Shine.com

53 Want this document offline? Click here. Add your review here. Now willing to learn more? Ready To Deploy Training from BinaryTitans. Here we cover the following: a. Installing and Configuring Windows Server 2012 b. Administering Windows Server 2012 c. Configuring Advanced Windows Server 2012 Services d. Designing and Deploying Microsoft Exchange Server 2016 e. Cisco Certified Network Associate To enroll, reach out to BinaryTitans Administration Team

54 Thank you for reading