Active Directory for Windows

Server
Sandeep Kapadane.
 Index

Active Directory Introduction

Active Directory Basics

Components of Active Directory

Active Directory hierarchical structure.

Active Directory Database.

Flexible Single Master Operations (FSMO)Role

Active Directory Services.

Active Directory
Introduction
 What is Active Directory ?

Active Directory is Microsoft's version of X.500
recommendations. It 's database and directory service ,
which maintains the relations ship between resources
and enable them to work together. It provide centralized
repository for user account information and directory
authentication , authorization and assignment of right
and permissions.

It store information in hierarchical tree like structure . It
depends on two Internet standard one is DNS and other
is LDAP. Information in Active directory can be
queried by using LDAP protocol and it use Kerberos V5
for authentication.
 Do I Need Active Directory

If I want to centrally manage access to resources
such as printers, users and group.

If I want to control user accounts from one
location.

If I have application that rely on Active
Directory.
Active Directory Basic
 The Basic

X.500 Recommendations

Domain Naming System (DNS)

LDAP

Schema

Replication

Global catalog

Components of Active Directory
What is X.500 Recommendations

To address the needs of organizations, the Institute of
Electrical and Electronics Engineers (IEEE) developed
a set of recommendations that defined how a directory
service should address the needs of administrators and
efficiently allow management of network resources .
These recommendations, known as the X.500
recommendations
 Domain Naming System (DNS)

Domain Naming System (DNS) is the
hierarchical naming and a domain name
resolution system used on Internet and windows
network for naming resolution.

It converts the domain name into its related IP
address.

Active Directory is Depends of DNS , both share
the same zone-naming conventions. If DSN
server fail it cause to fail active directory too
fail.
 LDAP

LDAP is a directory access protocol , which is
used to exchange directory information from
server to clients or from server to server .

Port number for LDAP is 389.

It was initially used as front-end to X.500 , but
can also be used with Stand-alone and other
kinds of directory servers.
 Schema

The Schema acts as the building blocks of
Active Directory. It holds all of the information
needed to created users, groups, computers, and
so on within Active Directory . The Schema
defines the classes of objects that are allowed
within a directory and attributes that are
associated with those objects. These must be
consistent across domain in order for security
policies and access rights to function correctly. It
defines how each attribute can be used and the
properties associated with the attribute.
 Schema Attribute

To Standardize Active Directory , the Schema
defines the attributes that can be used when
creating objects. These attribute defined only
once and can be used for any object.

Defining the attribute once and using it for
multiple objects allows for a standardized
approach of defining objects,

E.g.. of attribute is name

Each attribute within the schema has to have a
unique OID (Object Identifier).
To be Continue...........
 To be continue .............


These OID are registered and maintained by the
Internet Assigned Numbers Authority (IANA).
Once assigned , the OID Should not be used by
any other attribute.

New attributes will need to be assigned an OID .
If you are adding an attribute for use in object ,
you should register it with the IANA to
safeguard the attribute and to make sure that it
does not step on any other attributes.
Registration is free and as long as your OID is
unique , you should be issued an OID for your
attribute .
 Schema classes.

An object Class is a defined grouping of
attributes that make up a unique resource type.

One of the most common object class is the user
class. Use the user object class as the template
for a user account. When you create a user , the
attributes that are defined for the user object
class are used to define the new account.
 Replication

Replication is Process of making a replica (a copy) of
something.

Replication is the automatic synchronization of data
that occurs among domain controllers.

Any changes to the user account are made on one of the
domain controllers and the sent to every other domain
controller within the domain this transfer of data is
called replication.

Replication of information can be burden on network to
reduce the replication burden on the network Active
Directory replicates only the attributes that have been
changed not the entire object.
 Synchronization

Process of making two or more data storage
devices or programs (in the same of different
computers) having exactly the same information
at a given time.
 Global Catalog

Global Catalog maintains indexes about
objects. It contains full information of the
objects in its own domain and partial
information of the objects in other domains.
Universal Group membership information will
be stored in global catalog servers and replicate
to all GC's in the forest.

Port number for Global Catalog is 3268

Component of Active
Directory
 Component of Active Directory

There are two type of components
− Logical Components

Domain

Tree

Forest

Organizational unit.
− Physical Components

Site

Domain Controller.

Logical Component of
Active Directory
 Domain

The Domain is the core unit of logical structure in
Active Directory. All Objects which share a common
directory database, trust relationship with other domain
and security policies is know as Domain.

Each domain stores information about the objects that
belong to that domain.

All Security polices and settings , such as
Administrative rights, security policies, and Access
Control Lists (ACL's), do not cross from one domain to
another,

Domain Administrator has full rights to set policies
only within domain they belong to.

Domains provide administrative boundaries for objects;
manage security for share resources and unit of
replication for objects.
 Tree

Trees are collections of one or more domains
that allow global resource sharing. A tree may
consist of a Single domain or multiple domains
in a contiguous namespace.

Adding a domain to a tree becomes a child of the
tree root domain. Domain will be called parent
domain to which child domain is attached . A
child domain can also have its multiple child
domains. Child domain uses the name followed
by parent domain name and gets a unique
Domain Name System (DNS) .
 Forest

A Forest is a collection of multiple trees that share a
common global catalog, directory schema, logical
structure, and directory configuration.

The Primary security boundary for Active Directory is
Forest, Which contain domain trees

Forests allow organizations to group their divisions
which use different naming scheme, and may need to
operate independently . But as an organization they
want to communicate with the entire organization via
transitive trusts, and share the same schema and
configuration container.

The first domain you create in the forest is called the
forest root domain.
 Organizational unit

It is a logical component of Active Directory and
is used to organize users, groups and computers.

Physical Component of
Active Directory
 Site

Site Contain Active Directory resources that are
all connected by reliable high-speed bandwidth a
minimum of 10 MB. Site membership is used in
the logon process as a computer attempts to
locate domain controllers in its own site first, in
replication , in accessing global catalogues and
in exchange server messaging infrastructure
 Domain Controller

Domain Controller is a single computer or
Server that hold and controls Active Directory
database.

It is the physical components of Active
Directory and is used to control and manage the
domains in a organization's forest.
 Active Directory
Hierarchical Structure
Active Directory Hierarchical
Structure
Forest root domain

Domain Tree

Forest

Domain Tree Domain Tree

 Active Directory Hierarchical
Structure

The Primary security boundary for Active
Directory is Forest, Which contain domain trees.

There can be one or more domain trees in a
forest though the first domain is designated as
the forest root domain . A domain tree can
contain multiple domains that share a common
namespace. And regardless of the number of
domain trees in a forest, there is centralized
administration at the forest level with
permissions to all domain trees. Each forest has
an Enterprise Admins group as well as
to be continue......
To to continue........

Schema Admins group. Member of there groups
have authority over all the domain trees in the
forest .

All domain controller within the forest share the
same schema.

Each domain has a domain Admin group and
administrators .

In a parent domain automatically have
administrative permissions to all child domains
through automatic transitive trust relationships.
These type of structure is know as hierarchical
structure.

Active Directory
Database
 Active Directory Database

Active Directory stores its data in a file name
ntds.dit.

In addition to using the database file , Active
Directory uses log file that store information
prior to committing it to database that are
edb.log, edb.chk , res1.log, res2.log. By default ,
this file is located in %systemroot%/NTDS
folder.

During AD installation , Dcpromo lets you
specify alternative locations for these log files
and database files or you can use ntdsutil to
move database to alternate location after
installation.
Move database to other location

Start computer in directory service restore mode
and log on with directory service restore mode
Administrator account and open command
prompt. Then type

Ntdstuil
Ntdstui (press enter)

Files (press enter)

Move DB to <new directory location path>
(press enter.)
 Move log file to other location

Start computer in directory service restore mode
and log on with directory service restore mode
Administrator account and open command
prompt. Then type

Ntdstuil
Ntdstui (press enter)

Files (press enter)

Move logs to <new directory location path>
(press enter.)

Flexible Single Master
Operations
(FSMO Role)
 What Are the FSMO Roles?

FSMO roles are specialized services within
Active Directory that should be performed only
by a single domain controller.

There are five roles make up the FSMO
(Flexible Single Master Operations) :
− Schema Maser.
− Domain Naming Master.
− Infrastructure Master.
− Relative Identifier (RID )Master.
− Primary Domain Controller (PDC) Emulator.

All five of these roles coexist on one domain
controller , or you can move them so that they all
run on their own independent domain controller.
 FSMO Role:- Schema Master

The Schema master domain controller controls
all updates and modifications to the schema .
Once the schema update is complete, it is
replicated from the schema to all other DC in the
directory.

To update the schema of a forest, you must have
access to the schema master

There can be only one schema master is the
whole forest.

To see all FSMO role run the command
Netdom query /domain:<domain>
 FSMO Role:- Domain Naming
Master

The Domain naming master domain controls the
addition or removal of domains in the forest.

There can be only one domain naming master in
the whole forest.
FSMO Role:- Infrastructure Master

The Infrastructure Master Domain Controller
responsible for updating an object's SID and
distinguished name in a cross-domain.

There can be only one domain controller acting
as the infrastructure master in each domain.

The infrastructure master (IM) role should be
held by a domain controller that is not a global
catalog Server . IF the infrastructure master runs
on a Global catalog server it will stop updating
object information because it does not contain
any references to objects that it does not hold.
This is because a global catalog server holds
To be continue ..........
To be continue ......


A partial replica of every object in the forest . As
a result, cross domain object references in that
domain will not be updated and a warning to the
effect will be logged on that DC event log.

If all domain controllers in domain also host the
global catalog, all the domain controllers have
the current data and it is not important which
domain controller holds the infrastructure master
role.
 FSMO Role:- RID Master

The RID master is responsible for processing
RID pool requests from all domain controllers in
a particular domain.

When DC creates a security principle object
such as user or group it attaches a unique
security ID (SID) to object. This SID consists of
domain SID (The same for all SID's created in a
domain) , and a relative ID (RID) that is unique
for each security principal SID created in a
domain.

Each DC in a domain is allocated a pool of RID
that it is allowed to assign to the security
principal it creates.
To be continue....
To be continue ...

When a DC's allocated RID pool falls below a
threshold , that DC issues a request for
additional RIDs to the Domain's RID Master.
The Domain RID master responds to request by
retrieving RIDs from the domains unallocated
RID Pool and assigns them to the pool of the
requesting DC.

At any one time there can be only one domain
controller acting as RID master in the domain.
 FSMO Role:- PDC Emulator

The PDC emulator is necessary to synchronize
time in an enterprise windows.

Windows 2000/2003 includes the W32Time
time service that is required by the Kerberos
authentication protocol.

All windows 2000/2003 base computes within
an enterprise use a common time . The purpose
of the time service is to ensure that the windows
Time service uses a hierarchical relationship that
controls authority and does not permit loops to
ensure appropriate common time usage.

The PDC emulator of a domain is authoritative
for the domain the PDC emulator at the root of
the forest become authoritative for the
enterprise. And should be configured to gather
the time from an external source.

All pdc fsmo role holders follow the hierarchy of
domains in selection on their in bound time
partner.

The PDC emulator role holder retains the
following function.
− Password changes performed by other DC's in the
domain are replicated preferentially to the PDC
emulator.
− Authentication failures that occur at the given DC in
a domain because of an incorrect password are
forwarded to the PDC emulator before a bad
password failure message is reported to the user.
− Account lockout is processed on PDC emulator
− Editing or creation of group policy objects (GPO) is
always done from the GPO copy found in the PDC
emulator's SYSVOL share, unless configured not to
do so by the administer.

An any one time there can be only one DC
acting as PDC emulator master in each domain
in the forest.
 Viewing FSMO holder

Command to check all fsmo Role holder in
domain domain.local
Netdom query fsmo /domain:domain.local

Using Dcdiag:
Dcdiag /test:knowsofroleholders /v

You can find individual role holders with the
dsquery command:-
− To find the Schema master
dsquery server -hasfsmo schema
− To find the Domain naming master
dsquery server -hasfsmo name
− To find the infrasturcture master
dsquery server -hasfsmo infr
− To find the RID Master
dsquery server -hasfsmo rid
− To find the PDC Emulator
dsquery server -hasfsmo pdc
Active Directory
Services
 Active Directory services

Distributed File System

Domain name System (DNS) server

File Replication

Intersite messaging

Kerberos key Distribution Center

Remote Procedure Call (RPC) Locator

Active Directory Domain Service (ADDS)

Active Directory Lightweight Directory Services

Active Directory Federation Services

Active Directory Right management Service

Active Directory Certificate Service
 Active Directory services

Distributed File System :- Manages logical
volumes across local and wide are network

Domain name System (DNS) server:-
Responds to DNS queries and dynamic DNS
Requests.

File Replication :- Allows files to be copied and
maintained across multiple Servers.

Intersite messaging:- Allows Messages to be
exchanged between windows servers.

Kerberos key Distribution Center:- Enables
user to log onto domain using the Kerberos
authentication protocol
To be Continue ............
 Active Directory services

Remote Procedure Call (RPC) Locator:- Enables
RPC clients using RpcNS*APIs to locate RPC Servers.

Active Directory Domain Service (ADDS):- Stores all
information about resources on the network , such as
user, computer and other devices.

Active Directory Lightweight Directory Services:-
Allows administers to create small version of Active
Directory that run as non-operating system services.

Active Directory Federation Services:- Provides Web
single Sign-on (SSO) technologies to authenticate users
to multiple web applications in a single session.

To be continue ...
 Active Directory services

Active Directory Right management Service:- Protect
and secure information from unauthorized use online
and offline, inside and outside of the environment.

Active Directory Certificate Service :- Allows the
mapping of users and resources to private key to help
secure identity in public key infrastructure PKI base
environment.
 Finding highly privileged group
membership

You can view membership into highly privileged
domain group using net.ext utility at command
prompt.

net.ext group <domain-group-name> /DOMAIN
For eg to view membership in Domain Admins
Group command is like :
net.exe group “Domain Admins” /Domain
 Finding users that have not
logged on since last month

You can find such account in your organization's
domain by using net.exe command

net.exe user <username> /Domain

It return the domain account information about
the user such as whaen user's password was last
set , when the user's current password expires
and when the user last logged on.
net.exe user Testuser /Domain
OR
net.exe user Testuser /Domain | findstr “Last logon”
 SOME USEFULL UTILITY

Repadmin

NetDiag

DCDiag

DNSCMD

DNSLint

Account lockout and management tool.
 Repadmin

the replication diagnostic tool more commonly
known by its short name repadmin, can help to
diagnose Active Directory replication problem
between Domain Controllers

Its Verify replication consistency between
replication partners , monitor replication status ,
display replication metadata, and force
replication events and topology recalculation.

Using this tool administrators can look at the
replication topology as seen from the point of
view of each domain controller.

You can also use repadmin to force replication
between domain controller or to manually create
a replication topology.
 Netgiag

Check end to end network connectivity and
distributed services functions.

The command line tool can be used to help
diagnose and isolate connectivity issues in your
network. It does this by performing a number of
tests on the system and displaying network and
configuration information
 DCDiag

DCDiag is a command line utility that will run
diagnostic test s against the domain controller. It
runs several tests , and output can span many
screen.

If you want to perform specific tests against the
domain controller, use the /test: switch for instance.
If you want to make sure that the replication
topology is fully interconnected issue the following
command
Dcdiag /test:topology

To test that replication is functioning properly; issue
the command
Dcdiag /test:replications
To view the status of global catalog replication use the
command
dcdiag /v /s:domain_controller_name | find “%”
 DNSCMD

This command line tool is found in the support
tools folder of the windows server CD and
enable you to create , modify , and delete
resource records and zones.

If you want to view the DNS information and
statistics of server type
− Dnscmd <Sever name > /info
other useful switches with dnscmd are as follows
/Zoneinfo : this will display information about the
target zone.
/DirectoryPartitioninfo : this command will display the
directory partition information for target partition.
 DNSLint

This is a command line utility for windows server 2003
and higher and is located in the support tools folder of
the windows server cd .

It can be used to check for and verify DNS records and
server functionality and to generate a report in HTML
dnsline /d domain_name | /ad [LDAP_IP_Address]
| /ql input_file [/c] A [smtp,pop,imap]
[/no_open] [/r report_name] [/t] [/test_tcp] A[/s
DNS_IP_address] [/v] [/y]
eg:-
dnsline /AD

When using DNSLint you must specify one of
three switches - /d, /ql , or /ad
/d : Diagnoses problem , /ql : verifies a user defined set of
DNS records , /ad : verifies DNS records specifically
used for active directory replication
 Account Lockout and
Management Tool

The acctinfo.dll file is actuall part of the Account
Lockout and management tools you can download
from Microsoft.

Acctinfo.dll includes an additional property page for
the user-account properties. This additional property
page will allow you to determine when the account's
password was set, when the password expires, when
the user last logged on or off the domain as well as
other lockout information.

LockoutStatus.exe display information concerning a
locked out account. Use this tool to determine which
computer were involved in the lockout by the
account and when the lockout occurred.
 Reference

Google

Mastering Active Directory for windows server
2008 by john A.Price

Microsoft press Exchange server 2003
THE END