Professional Documents
Culture Documents
Chapter1 - Active Directory
Chapter1 - Active Directory
COURSE
NETWORK TECHNOLOGY
Workgroup Workgroup
❖A peer-to-peer group of computers that share resources. ❖As small as two computers, or it can scale up to be quite large.
❖Authentication ❖Authorization
➢When connecting to a shared resource on a computer, you are first ➢Checks the permissions of the authenticated user and controls
prompted to supply a valid username and password on that access to functions based on the roles that are assigned to the user.
computer that has permissions to access the resource.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 5/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 6/74
/50
Workgroup Workgroup
❖The authentication process for the user log-in ❖SAM objects include the following:
is at the local computer.
➢SAM_ALIAS: A local group
❖Advantages: ❖Disadvantages:
➢Very simple to manage. ➢Low security.
o Passwords may not be changed very often.
➢Simply configure a resource for sharing and define who ▪ If they are changed, a user may update his password on a few
you want to share that resource with because systems but not on all of them, and then end up out of sync.
everything is set locally.
➢Less scalability.
➢Inexpensive option because you don’t need multiple
servers to support a workgroup.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 9/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 10/74
/50
Domain Domain
❖A logical grouping of computers that authenticate ❖Once authenticated, the user receives a token that follows them
to a central database of users stored on special around the network and automatically proves their identity to other
servers called domain controllers. domain-joined servers and clients.
➢Allow to access resources that specifically grant them access.
➢When users log into a computer that is joined
to a domain, their usernames and passwords
❖Only need to authenticate once to a
are authenticated on the nearest domain
domain controller to prove their identity
controller.
to all domain members, this feature is
called single sign-on.
❖Might have multiple controllers in a domain.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 11/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 12/74
/50
Domain Domain
❖The software components that provide for authentication functionality ❖Advantage ❖Disadvantage
are called Active Directory. ➢Centralization ➢Complex
➢Contains many other services and components to centrally manage
➢Manageability ➢High level of administration
and secure the computers that are joined to the domain.
➢Scalability ➢High-performance devices (server,
o Group Policy can also be used to configure operating system
➢Tight Security router, switch)
settings, security, and software for different computers and users
➢Single-Sign-On ➢Expensive
in the domain.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 13/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 14/74
/50
Active Directory
15 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 16/74
/50
Active Directory Active Directory
❖AD DS consists NTDS.DIT (New Technology Directory Service. ❖Logically separated into the following partitions:
Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit) ➢Schema Partition: contains the definition of objects and rules for
➢A database that stores all Active Directory data, including their manipulation and creation in an active directory.
information about user objects, groups and group membership as ➢Configuration Partition: contains the forest-wide active directory
well as password hashes for domain users. topology including DCs, sites and service.
➢Domain Partition: contain information about users, groups,
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 17/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 18/74
/50
Active Directory
❖Each domain controller (DC) has ❖After the domain controller validates your user name and password, it
a centralized copy of the Active issues your computer an encrypted token that lists:
Directory database. ➢Domain user account.
➢Domain group accounts of which you are a member.
19 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 20/74
/50
Active Directory Active Directory
❖When you access a shared resource on another computer in domain, ❖AD DS is composed of both logical and physical components
your token is automatically sent with the request to the target computer
to verify your identity.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 21/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 22/74
/50
❖Leaf objects: represent a user account, group account, computer ❖Domain (or Active Directory domain): used to group and manage
account, network resources published to the Active Directory database objects.
e.g., (shared printers). ➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com.
❖Container objects: used to group leaf objects for ease of
➢Each domain object often represents a separate business unit within
administration and the application of Group Policy. There are three main
your organization and can contain OUs as well as leaf objects.
container:
➢Domains
➢Organizational units (OUs)
➢Sites
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 25/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 26/74
/50
❖Organizational Unit (OU): contains leaf objects or other OUs (called ❖Site: represent physical locations within your organization.
child OUs). ➢Each physical location contains a LAN that communicates with other
physical locations over an WAN/Internet connection.
❖The OU structure you create ➢By representing each physical location with a site object, you can
for each domain should create settings that control the replication of Active Directory
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 27/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 28/74
/50
Active Directory Forests and Trees Active Directory Forests and Trees
❖Domains are often used to represent a single business unit within an ❖Forest: a collection of Active Directory domains that share a schema
organization. => suitable for smaller organizations. and some security principals.
➢The vast majority of organizations in the world have a single forest
domain.
❖Larger organizations often have multiple business units, and each
business unit may need to access resources within other business units. ➢Multiple domain forests are generally used by larger geographically
dispersed organizations.
❖Active Directory forests are used to provide for multiple domains within
the same organization.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 29/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 30/74
/50
Active Directory Forests and Trees Active Directory Forests and Trees
❖When install the first domain controller within the first domain in an ❖Trees: a collection of one or more domains that share a common
namespace.
organization, a forest is created with the same name as this first ➢Ex: domain2.com, hcm.domain2.com, and hn.domain2.com
domain. domains share the same core domain name, we refer to them as the
domain2.com tree.
❖The first domain in a forest is called the forest root domain.
❖The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
domain1.com domain2.com child domains.
(forest root domain)
4
Child
Domain
Active Directory Trusts
FOREST DOMAIN 33 34
37 domain1.com FOREST 38
Global Catalog
❖A single forest can contain an unlimited number of domains.
➢Each domain can contain an unlimited number of objects.
5 Global Catalog
43 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 44/74
/50
Global Catalog Global Catalog
❖Global Catalog (GC): ❖The GC allows users to quickly find objects
➢Allows users and applications to find objects in an Active Directory ➢without knowing what domain holds them
domain tree, given one or more attributes of the target object. ➢without requiring a contiguous extended
namespace in the enterprise.
➢Holds a replica of every object in the directory (in naming context)
and a small number of their attributes:
o Most frequently used in search operations.
▪ (i.e., a user's first and last names or login names)
o Required to locate a full replica of the object.
➢For example, when assigning permissions
on a resource, the interface you use will
➢Stored on at least one domain controller in the forest. allow you to select users and groups
➢The default is the first Domain Controller created in the Forest. within other domains in the forest from a
➢Can config in other Domain Controller to load balancing. list that is provided by the GC.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 45/74
/50 46
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 49/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 50/74
/50
Authentication Protocols
❖NT LAN Manager (NTLM):
➢Current version: 35.0 (4/29/2022)
6 Authentication Process
▪ Group memberships.
▪ Interactive logon information.
▪ Message integrity.
➢Replaced by Kerberos.
51 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 52/74
/50
Authentication Protocols Authentication Protocols
❖Kerberos Network Authentication Service (V5) protocol ❖Kerberos Network Authentication Service (V5) protocol
(Kerberos V5): (Kerberos V5):
➢Current version: Version 5, Release 1.20 (26 May 2022)
➢Replaces NTLM in AD.
➢Used for authentication between clients and servers in DC (default).
o Authorization information: ➢However, NTLM can be used when the Kerberos do not work.
▪ Group memberships o One of the machines is not Kerberos-capable.
▪ Interactive logon information o The server is not joined to a domain.
▪ Message integrity o The Kerberos configuration is not set up correctly.
o The implementation chooses to directly use NLMP (NT LAN
➢Support Single Sign-On
Manager (NTLM) Authentication Protocol.).
➢High security.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 53/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 54/74
/50
10. The client presents the session ticket to the server 11. The LSA compares the SIDs in the access token with the groups that are
where the resource resides. assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 59/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 60/74
/50
Multi-master model
❖Active Directory is the central repository to store all objects in an
enterprise and their respective attributes.
➢It's a hierarchical, multi-master enabled database that can store
millions of objects.
➢Changes to the database can be processed at any domain controller
Flexible Single Master Operations (DC) in the enterprise.
7 (FSMO) Role viết theo dạng cấu trúc phân tầng
có thể được chỉnh sửa, đọc bởi nhiều thiết bị
có trường hợp bị đụng độ: 2 máy domain controller cùng thay đổi 1 thiết bj
➢Possibility of conflicts that can potentially
lead to problems once the data is replicated
to the rest of the enterprise.
61 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 62/74
/50
❖Active Directory includes multiple roles, and the ability to transfer roles
➢However, there are times when conflicts are too difficult to resolve
to any DC in the enterprise.
using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact. ❖Five (Flexible Single Master Operations) FSMO roles:
chỉnh sửa nào mới nhất thì lấy chỉnh sửa đó. gán 5 cái roles cho domain controller
Schema định nghĩa đối tượng trong domain
FSMO Roles FSMO Roles
❖Schema master ❖Schema master
➢Manages the read-write copy of your Active Directory schema. ➢Only one DC can process updates to the AD schema.
o The AD Schema defines all the attributes – things like employee o Once the Schema update is complete, it's replicated from the
ID, phone number, email address, and login name – that you can schema master to all other DCs in the directory.
apply to an object in your AD database.
Định nghĩa Schema cho toàn bộ Forest
mặc định máy tạo máy tạo ra schem đầu tiên là máy forest root domain(FRD)
➢There's only one schema
master per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.
Biết được tên và sự liên kết giữa các domain
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 65/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 66/74
/50
➢Review the Globally Unique Identifiers (GUID) ➢Review the Distinguished Name (DN):
o 128-bit number to uniquely identify specific components, o Unique in the Forest.
hardware, software, files, user accounts, database entries and
other items. o Includes enough information to locate a replica of the partition
o Unique not only in the enterprise but also across the world. that holds the object.
o Active Directory uses GUIDs internally to identify objects.
▪ Is a sequence of relative distinguished names (RDN)
o GUID would not changed but SID could sometimes changed. connected by commas.