Chapter1 - Active Directory

VNUHCM – UNIVERSITY OF SCIENCE
FACULTY OF ELECTRONICS – TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS – NETWORKS
COURSE
NETWORK TECHNOLOGY
Chapter 1 Windows Domain

ACTIVE DIRECTORY
01
Editor: Nguyen Viet Ha, Ph.D.
September 14, 2023
Lecturer: Nguyen Viet Ha, Ph.D. Email: nvha@hcmus.edu.vn 2
Workgroup Workgroup
❖A peer-to-peer group of computers that share resources. ❖As small as two computers, or it can scale up to be quite large.
➢Small pool of systems ideally 15 or less. 200 systems.

➢Decentralized in every way.
o May have a central server using to consume various services. ❖Self-authentication and self-authorization
for access to resources.
o Or share data from individual workstations.

Overload Weak
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 3/74
/50 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 4/74
/50
Workgroup Workgroup
❖Authentication ❖Authorization
➢When connecting to a shared resource on a computer, you are first ➢Checks the permissions of the authenticated user and controls
prompted to supply a valid username and password on that access to functions based on the roles that are assigned to the user.
computer that has permissions to access the resource.
/50
Workgroup Workgroup
❖The authentication process for the user log-in ❖SAM objects include the following:
is at the local computer.
➢SAM_ALIAS: A local group
➢SAM_GROUP: A group that is not a local group (e.g., domain group)

❖Windows stores user accounts and security descriptors in a database
file called Security Account Manager (SAM). ➢SAM_USER: A user account
➢It authenticates local user logons. ➢SAM_DOMAIN: A domain

➢The SAM database resides in the Windows registry.
➢SAM_SERVER: A computer account
(C:\WINDOWS\system32\config)
➢Available on Windows XP, Vista, 7, 8.1, 10, and 11.
/50
Workgroup Workgroup
❖Advantages: ❖Disadvantages:
➢Very simple to manage. ➢Low security.
o Passwords may not be changed very often.
➢Simply configure a resource for sharing and define who ▪ If they are changed, a user may update his password on a few
you want to share that resource with because systems but not on all of them, and then end up out of sync.
everything is set locally.
➢Less scalability.
➢Inexpensive option because you don’t need multiple
servers to support a workgroup.
/50
Domain Domain
❖A logical grouping of computers that authenticate ❖Once authenticated, the user receives a token that follows them
to a central database of users stored on special around the network and automatically proves their identity to other
servers called domain controllers. domain-joined servers and clients.
➢Allow to access resources that specifically grant them access.
➢When users log into a computer that is joined
to a domain, their usernames and passwords
❖Only need to authenticate once to a
are authenticated on the nearest domain
domain controller to prove their identity
controller.
to all domain members, this feature is
called single sign-on.
❖Might have multiple controllers in a domain.
/50
Domain Domain
❖The software components that provide for authentication functionality ❖Advantage ❖Disadvantage
are called Active Directory. ➢Centralization ➢Complex
➢Contains many other services and components to centrally manage
➢Manageability ➢High level of administration
and secure the computers that are joined to the domain.
➢Scalability ➢High-performance devices (server,
o Group Policy can also be used to configure operating system
➢Tight Security router, switch)
settings, security, and software for different computers and users
➢Single-Sign-On ➢Expensive
in the domain.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
/50
Active Directory
❖A directory service that stores user/computer accounts, applications,

printers, shared folders, group policies, and all kinds of records.
➢The main Active Directory service is Active Directory Domain
Services (AD DS).
2 Active Directory o Provide centralized authentication and support single sign-on to

computers on the network that are joined to an Active Directory
domain.
15 Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 16/74
/50
Active Directory Active Directory
❖AD DS consists NTDS.DIT (New Technology Directory Service. ❖Logically separated into the following partitions:
Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit) ➢Schema Partition: contains the definition of objects and rules for
➢A database that stores all Active Directory data, including their manipulation and creation in an active directory.
information about user objects, groups and group membership as ➢Configuration Partition: contains the forest-wide active directory
well as password hashes for domain users. topology including DCs, sites and service.
➢Domain Partition: contain information about users, groups,
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
/50
Active Directory
❖Each domain controller (DC) has ❖After the domain controller validates your user name and password, it
a centralized copy of the Active issues your computer an encrypted token that lists:
Directory database. ➢Domain user account.
➢Domain group accounts of which you are a member.
➢Tokens can only be decrypted by computers that participate in the

same Active Directory domain.
➢Destroyed when you log out of your system.
/50
Active Directory Active Directory
❖When you access a shared resource on another computer in domain, ❖AD DS is composed of both logical and physical components
your token is automatically sent with the request to the target computer
to verify your identity.
➢You are then granted or denied access to the resource according to

the permissions assigned to your domain user and group accounts
listed within the resource’s ACL (Access Control List).
/50
Active Directory Objects
❖An object is the most basic component

in the logical structure of AD defined
within the Active Directory database.
3 Active Directory Structure

❖The Active Directory schema stores a
list of all available object types (called
classes, e.g., user) and their associated
properties (called attributes).
/50
Active Directory Objects Active Directory Objects
❖Leaf objects: represent a user account, group account, computer ❖Domain (or Active Directory domain): used to group and manage
account, network resources published to the Active Directory database objects.
e.g., (shared printers). ➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com.
❖Container objects: used to group leaf objects for ease of
➢Each domain object often represents a separate business unit within
administration and the application of Group Policy. There are three main
your organization and can contain OUs as well as leaf objects.
container:
➢Domains
➢Organizational units (OUs)
➢Sites
/50
Active Directory Objects Active Directory Objects
❖Organizational Unit (OU): contains leaf objects or other OUs (called ❖Site: represent physical locations within your organization.
child OUs). ➢Each physical location contains a LAN that communicates with other
physical locations over an WAN/Internet connection.
❖The OU structure you create ➢By representing each physical location with a site object, you can
for each domain should create settings that control the replication of Active Directory
reflect the structure information across the Internet.
within that particular

business unit.
/50
Active Directory Forests and Trees Active Directory Forests and Trees
❖Domains are often used to represent a single business unit within an ❖Forest: a collection of Active Directory domains that share a schema
organization. => suitable for smaller organizations. and some security principals.
➢The vast majority of organizations in the world have a single forest
domain.
❖Larger organizations often have multiple business units, and each
business unit may need to access resources within other business units. ➢Multiple domain forests are generally used by larger geographically
dispersed organizations.
❖Active Directory forests are used to provide for multiple domains within
the same organization.
/50
Active Directory Forests and Trees Active Directory Forests and Trees
❖When install the first domain controller within the first domain in an ❖Trees: a collection of one or more domains that share a common
namespace.
organization, a forest is created with the same name as this first ➢Ex: domain2.com, hcm.domain2.com, and hn.domain2.com
domain. domains share the same core domain name, we refer to them as the
domain2.com tree.
❖The first domain in a forest is called the forest root domain.
❖The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
domain1.com domain2.com child domains.
(forest root domain)
❖The domain1.com domain is also a tree but without child domains.

hcm.domain2.com hn.domain2.com
❖The first domain in a tree is called the tree root domain.

domain1.com FOREST
/50
Forest Tree
Root Root
HCM.com HN.com
Domain Domain
Tree
Root
Domain
Q1.HCM.com Q5.HCM.com BD.HN.com HK.HN.com
4
Child
Domain
Active Directory Trusts
P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com
TREE DOMAIN TREE DOMAIN
FOREST DOMAIN 33 34
Active Directory Trusts Active Directory Trusts

❖Small organizations often may have ❖Trust Flow:
only one domain, but larger ➢Transitive trust: Domain 1 trusts Domain 2, and Domain 2 trusts
organizations will end up with Domain 3 => Domain 1 will also trust Domain 3.
multiple domains.
➢Nontransitive trust: Domain 1 trusts Domain 2, and Domain 2
trusts Domain 3; however, Domain 1 does not trust Domain 3.
➢One-way trust: establishes trust in one direction only. Domain 1

trusts Domain 2, but Domain 2 does not trust Domain 1.
❖To simplify administration and the user experience, you can set up
trusts between domains so that an authenticated user in one domain ➢Two-way trust: bidirectional trust relationship. If Domain 1 trusts
can access resources in another domain without having to authenticate Domain 2, then Domain 2 also trusts Domain 1
with a separate set of credentials.
/50
❖AD DS Trust Types: ❖AD DS Trust Types:
➢Parent-Child Trust: trust relationship automatically created and ➢Tree-Root Trust: trust relationship automatically created and
establishes a relationship between a parent domain and a child establishes a relationship between the forest root domain and a new
domain. tree.
➢They’re transitive and they can be created as two-way trusts. ➢They can be transitive and created as two-way trusts.
Tree Root trust

domain1.com domain1.com
domain2.com
Parent-Child Parent-Child Parent-Child Parent-Child
trust trust trust trust Parent-Child
trust
a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com
37 domain1.com FOREST 38

➢Shortcut trust: are used on Windows Server domains that reside in ➢Realm trust: allows to create a trust between a Windows Server
the same forest, where there is a need to optimize the authentication domain and a non-Windows (Linux, Unix, or MacOS Server) Kerberos
process (e.g., a user on Domain 1 frequently needs to authenticate realm.
to Domain 2). ➢They can be transitive or nontransitive and created as one-way or
➢They can be transitive and created as one-way or two-way trusts. two-way trusts.
Tree Root trust Tree Root trust
domain1.com domain1.com Realm trust UNIX
Shortcut trust domain2.com Shortcut trust domain2.com Kerberos
Parent-Child Parent-Child V5 Realm
trust trust

c.domain2.com c.domain2.com
domain1.com FOREST 39 domain1.com FOREST 40

➢External trust: External trusts connect a Windows Server domain ➢Forest trust: Forest trusts create a trust relationship between two
in one forest to another Windows Server domain (Windows NT 4.0 Windows Server forests.
and non-Windows Kerberos realms) in a different forest. ➢They’re transitive and can be established as one-way or two-way
➢They’re nontransitive and created as one-way or two-way trusts. trusts.
Tree Root trust Tree Root trust Forest trust

domain1.com domain1.com
domain2.com domain3.net domain2.com domain3.net
Shortcut trust Shortcut trust
Parent-Child Parent-Child
trust trust
External trust External trust

c.domain2.com a.domain3.net b.domain3.net c.domain2.com a.domain3.net b.domain3.net
domain1.com FOREST domain3.net FOREST 41 domain1.com FOREST domain3.net FOREST 42
Global Catalog
❖A single forest can contain an unlimited number of domains.
➢Each domain can contain an unlimited number of objects.
o Need the optimal way to locate objects quickly within different

domains.
5 Global Catalog
/50
Global Catalog Global Catalog
❖Global Catalog (GC): ❖The GC allows users to quickly find objects
➢Allows users and applications to find objects in an Active Directory ➢without knowing what domain holds them
domain tree, given one or more attributes of the target object. ➢without requiring a contiguous extended
namespace in the enterprise.
➢Holds a replica of every object in the directory (in naming context)
and a small number of their attributes:
o Most frequently used in search operations.
▪ (i.e., a user's first and last names or login names)
o Required to locate a full replica of the object.
➢For example, when assigning permissions
on a resource, the interface you use will
➢Stored on at least one domain controller in the forest. allow you to select users and groups
➢The default is the first Domain Controller created in the Forest. within other domains in the forest from a
➢Can config in other Domain Controller to load balancing. list that is provided by the GC.
/50 46

❖For user account objects, the global catalog stores a unique name ❖The GC is updated when objects are added or removed within any
that users can use to log into their domain from any computer in the domain in the forest.
forest. ➢These updates must be replicated to all other domain controllers that
hold a copy of the GC.
➢User Principle Name (UPN): username@domainname.
o Preferred to as User logon name
o Unique in the forest.
❖Require when logging into a computer as a user account within another

domain in the forest.
➢GC is contacted to verify the UPN and locate a domain controller that
can complete the authentication process.
/50
❖In site environment, ❖In site environment,
➢Smaller branch offices with low capacity servers, which cannot
handle additional load of hosting a GC ➢Enable Universal Group Membership Caching (UGMC) on sites to
hold a copy of the global catalog to provide fast authentication.
➢GC replication may congest the Internet bandwidth in locations that
have a slower Internet connection. o Domain controllers must contact a remote global catalog the first
time each user authenticates to the domain in order to verify their
➢Solution: Deploy domain universal group memberships and cached on the DC.
controllers, which only store
universal group membership o The subsequent authentication requests use the universal group
information locally. membership information for the user stored in the cache.
Congest → Eliminating the need to contact a remote global catalog.
/50
Authentication Protocols
❖NT LAN Manager (NTLM):
➢Current version: 35.0 (4/29/2022)
➢Used for authentication between clients and servers.

o Authorization information:
6 Authentication Process
▪ Group memberships.
▪ Interactive logon information.
▪ Message integrity.
➢Replaced by Kerberos.
/50
Authentication Protocols Authentication Protocols
❖Kerberos Network Authentication Service (V5) protocol ❖Kerberos Network Authentication Service (V5) protocol
(Kerberos V5): (Kerberos V5):
➢Current version: Version 5, Release 1.20 (26 May 2022)
➢Replaces NTLM in AD.
➢Used for authentication between clients and servers in DC (default).
o Authorization information: ➢However, NTLM can be used when the Kerberos do not work.
▪ Group memberships o One of the machines is not Kerberos-capable.
▪ Interactive logon information o The server is not joined to a domain.
▪ Message integrity o The Kerberos configuration is not set up correctly.
o The implementation chooses to directly use NLMP (NT LAN
➢Support Single Sign-On
Manager (NTLM) Authentication Protocol.).
➢High security.
/50
Authentication Process KDC: Key Distribution Center

TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket
The Key Distribution Center (KDC), resides on each domain controller and stores the
5. The domain controller queries the
encrypted user credentials
global catalog to identify the universal
groups to which the user belongs.
2. The credentials are
encrypted by the client 6. The KDC issues the client a 4. The domain controller
and sent to a domain ticket-granting ticket (TGT). creates a list of the
controller. domain-based groups to
which the user belongs.
3. The encrypted credentials are matched against

the encrypted credentials on the domain controller.
The TGT contains the encrypted security identifiers (SIDs) for
1. The user enters credentials at a workstation to perform an interactive logon. the groups of which the user is a member.
/50
9. The TGS issues a service ticket (session ticket) for
the server where the resource resides to the client.
7. The client requests access
to a resource that resides on a The session ticket contains the SIDs for the users
specific server. group memberships.
8. The client uses the TGT

to gain access to the ticket-
granting service (TGS), on
the domain controller.
/50

10. The client presents the session ticket to the server 11. The LSA compares the SIDs in the access token with the groups that are
where the resource resides. assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.
/50
Multi-master model
❖Active Directory is the central repository to store all objects in an
enterprise and their respective attributes.
➢It's a hierarchical, multi-master enabled database that can store
millions of objects.
➢Changes to the database can be processed at any domain controller
Flexible Single Master Operations (DC) in the enterprise.
7 (FSMO) Role viết theo dạng cấu trúc phân tầng
có thể được chỉnh sửa, đọc bởi nhiều thiết bị
có trường hợp bị đụng độ: 2 máy domain controller cùng thay đổi 1 thiết bj
➢Possibility of conflicts that can potentially
lead to problems once the data is replicated
to the rest of the enterprise.
/50
FSMO Role Single-master model

❖Need a conflict resolution algorithm. ❖To prevent conflicting updates, the Active Directory performs updates to
➢Which changes were written last, which is the last writer wins. certain objects in a single-master fashion.
➢The changes in all other DCs are discarded. ➢Only one DC in the entire directory is allowed to process updates.
❖Active Directory includes multiple roles, and the ability to transfer roles
➢However, there are times when conflicts are too difficult to resolve
to any DC in the enterprise.
using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact. ❖Five (Flexible Single Master Operations) FSMO roles:
❖For certain types of changes, Windows

incorporates methods to prevent
conflicting Active Directory updates
from occurring.
/50
chỉnh sửa nào mới nhất thì lấy chỉnh sửa đó. gán 5 cái roles cho domain controller
Schema định nghĩa đối tượng trong domain
FSMO Roles FSMO Roles
❖Schema master ❖Schema master
➢Manages the read-write copy of your Active Directory schema. ➢Only one DC can process updates to the AD schema.
o The AD Schema defines all the attributes – things like employee o Once the Schema update is complete, it's replicated from the
ID, phone number, email address, and login name – that you can schema master to all other DCs in the directory.
apply to an object in your AD database.
Định nghĩa Schema cho toàn bộ Forest
mặc định máy tạo máy tạo ra schem đầu tiên là máy forest root domain(FRD)
➢There's only one schema
master per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.
Biết được tên và sự liên kết giữa các domain
/50

❖Domain naming ❖Relative Identifier (RID) master
➢Manages the forest-wide domain name space of the directory. ➢Allocating Relative Identifier (RID) pools to DCs in its domain.
➢Only one DC can add or remove domains and application o When a DC creates a security principal object (e.g., user or
directory partitions from the directory. group), it attaches a unique SID to the object, consists of:
▪ A domain SID that's the same
➢There's only one Domain for all SIDs created in a domain.
naming per forest.
▪ A RID that's unique for each
o Default: Primary DC (PDC) security principal SID created in
of the Forest Root Domain. a domain.
➢Moving objects from one domain to

another within a forest.
➢There is one RID Master in each domain in an Active Directory forest
/50
Câp nhật SID và DN
❖Primary Domain Controller (PDC) emulator ❖Infrastructure master
➢Controls authentication within a domain. ➢Updates an object's SID and Distinguished Name (DN) in a cross-
o Responds to authentication requests, domain object reference.
changes passwords, manages Group ➢When an object in one domain is referenced by another object in
Policy Objects, account lockout. another domain, it represents the reference by:
chịu trách nhiệm chứng thực, truy vấn thông tin
quản lí chính sách về nhóm, tài khoản
Đồng bộ thời gian time in an enterprise.
➢Synchronize o The Globally Unique Identifiers
(GUID). là một con số duy nhất của Forest
➢Backward compatibility. o The SID (for references to security
o Performs all of the functionality that a Windows NT 4.0 Server- principals). bao gồm 2 giá trị: SID, RID
based PDC or earlier PDC performs for Windows NT 4.0-based or o The DN of the object being
earlier clients. referenced.
➢There is one in each domain in an
➢There is one in each domain in an Active Directory forest Active Directory forest.
/50

❖Infrastructure master ❖Infrastructure master
➢Review the Globally Unique Identifiers (GUID) ➢Review the Distinguished Name (DN):
o 128-bit number to uniquely identify specific components, o Unique in the Forest.
hardware, software, files, user accounts, database entries and
other items. o Includes enough information to locate a replica of the partition
o Unique not only in the enterprise but also across the world. that holds the object.
o Active Directory uses GUIDs internally to identify objects.
▪ Is a sequence of relative distinguished names (RDN)
o GUID would not changed but SID could sometimes changed. connected by commas.
o The reason for using SIDs not GUIDs, is for backward

compatibility. Ex: Windows NT uses SIDs to identify users and
groups in ACLs on resources.
/50
FSMO Roles
THANK YOU FOR YOUR ATTENTION
❖Infrastructure master
➢Review the Distinguished Name (DN):

▪ An RDN is an attribute with an
associated value in the form
attribute=value.
▪ Ex: Nguyen Viet Ha, Ph.D.

- CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM Department of Telecommunications and Networks
Faculty of Electronics and Communications
- CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM University of Science, Vietnam National University, Ho Chi Minh City
Email: nvha@hcmus.edu.vn
/50

Chapter1 - Active Directory

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter1 - Active Directory

Uploaded by

Copyright:

Available Formats

VNUHCM – UNIVERSITY OF SCIENCE

FACULTY OF ELECTRONICS – TELECOMMUNICATIONS

Chapter 1 Windows Domain

September 14, 2023

Lecturer: Nguyen Viet Ha, Ph.D. Email: nvha@hcmus.edu.vn 2

➢Small pool of systems ideally 15 or less. 200 systems.

o Or share data from individual workstations.

➢SAM_GROUP: A group that is not a local group (e.g., domain group)

➢It authenticates local user logons. ➢SAM_DOMAIN: A domain

❖A directory service that stores user/computer accounts, applications,

2 Active Directory o Provide centralized authentication and support single sign-on to

➢Tokens can only be decrypted by computers that participate in the

➢You are then granted or denied access to the resource according to

Active Directory Objects

❖An object is the most basic component

3 Active Directory Structure

Active Directory Objects Active Directory Objects

reflect the structure information across the Internet.

within that particular

❖The domain1.com domain is also a tree but without child domains.

❖The first domain in a tree is called the tree root domain.

P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com

TREE DOMAIN TREE DOMAIN

Active Directory Trusts Active Directory Trusts

➢One-way trust: establishes trust in one direction only. Domain 1

Tree Root trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

Active Directory Trusts Active Directory Trusts

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

domain1.com FOREST 39 domain1.com FOREST 40

Tree Root trust Tree Root trust Forest trust

External trust External trust

domain1.com FOREST domain3.net FOREST 41 domain1.com FOREST domain3.net FOREST 42

o Need the optimal way to locate objects quickly within different

Global Catalog Global Catalog

❖Require when logging into a computer as a user account within another

➢Used for authentication between clients and servers.

Authentication Process KDC: Key Distribution Center

3. The encrypted credentials are matched against

8. The client uses the TGT

Authentication Process KDC: Key Distribution Center

FSMO Role Single-master model

❖For certain types of changes, Windows

FSMO Roles FSMO Roles

➢Moving objects from one domain to

FSMO Roles FSMO Roles

o The reason for using SIDs not GUIDs, is for backward

➢Review the Distinguished Name (DN):

▪ Ex: Nguyen Viet Ha, Ph.D.

You might also like