7/28/2019 Activ Directory Presentation cum directorui.ppt
1/156
Windows Server 2003 Active
Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
2/156
Windows Server 2003 is a server operating system produced by Microsoft
Introduced on April 24, 2003 as the successor to Windows 2000 Server
An updated version, Windows Server 2003 R2 was released to manufacturing on
6th December 2005
Unlike Windows 2000 Server, Windows Server 2003's default installation has none
of the server components enabled, to reduce the attack surface of new machines
Windows Server 2003 includes compatibility modes to allow older applications to
run with greater stability
Windows Server 2003 brought in enhanced Active Directory compatibility, and
better deployment support
Windows Server 2003 operating systems take the best of Windows 2000 Server
technology and make it easier to deploy, manage, and use
IntroductionWindows Server 2003
7/28/2019 Activ Directory Presentation cum directorui.ppt
3/156
Windows Server 2003 is a multipurpose operating system capable of handling a
diverse set of server roles, depending on your needs, in either a centralized or
distributed fashion
Some of these server roles include
File and print server.
Web server and Web application services.
Mail server.
Terminal server.
Remote access and virtual private network (VPN) server.
Directory services, Domain Name System (DNS)
Dynamic Host Configuration Protocol (DHCP) server
Windows Internet Naming Service (WINS).
Streaming media server
2003 Server Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
4/156
Windows Server 2003 R2 Standard Edition
Windows Server 2003, Standard Edition is aimed towards small to mediumsized businesses
Flexible yet versatile, Standard Edition supports file and printer sharing,
offers secure Internet connectivity, and allows centralized desktop
application deployment
Windows Server 2003 R2 Enterprise Edition
Windows Server 2003, Enterprise Edition is aimed towards medium to largebusinesses.
It is a full-function server operating system that supports up to eightprocessors and provides enterprise-class features such as eight-node
clustering and support for up to 32 GB of memory
Enterprise Edition also comes in 64-bit edition for Intel Itanium-based computers
capable of supporting 8 processors and 64 GB of RAM
2003 Flavours
7/28/2019 Activ Directory Presentation cum directorui.ppt
5/156
Windows Server 2003 R2, Datacenter Edition
Windows Server 2003, Datacenter Edition is the flagship of the WindowsServer line and designed for immense infrastructures demanding high
security and reliability.
Datacenter supports up to 32-way SMP and 64 GB of RAM with the 32-bit
version and up to 128-way machines with individual partitions of up to 64
processors and 512 GB of RAM with the 64-bit version.
Datacenter provides both eight-node clustering and load balancing service
as standard features and includes Windows System Resource Managerfacilitating consolidation and system management
Windows Server 2003 Web Edition
Windows Server 2003, Web Edition is mainly for building and hosting Web
applications, Web pages, and XML Web Services.
It is designed to be used primarily as an IIS 6.0 Web server and provides
a platform for rapidly developing and deploying XML Web services and
applications that use ASP.NET technology, a key part of the .NET Framework
2003 Flavours
7/28/2019 Activ Directory Presentation cum directorui.ppt
6/156
Introduction to
Active Directory Infrastructure
7/28/2019 Activ Directory Presentation cum directorui.ppt
7/156
Architecture of Active Directory
Introduction Function of Active Directory
Active Directory logical structure
Active Directory physical structure
Operations Master Roles
How Active Directory works
Active Directory as a directory service
Purpose of the Global Catalog
Active Directory schema
What Are Distinguished and Relative Distinguished Names
Construct an LDAP query string
Objective
7/28/2019 Activ Directory Presentation cum directorui.ppt
8/156
Organizations operating a distributed environment need to have a way to manage
network resources and services. As the organization grows, the need for a secure
and centralized management system becomes more critical
A directory service provides a centralized location to store information in a distributed
environment about networked devices & services and the people who use them
A directory service also implements the services that make this information available
to users, computers, and applications
A directory service is both a database storage system (directory store) and a set of
services that provide the means to securely add, modify, delete, and locate data in the
directory store
Active Directory directory service is the distributed directory service that is includedwith Microsoft Windows Server 2003 and Microsoft Windows 2000 Server operating
systems
Active Directory enables centralized, secure management of an entire network,
which might span a building, a city, or multiple locations throughout the world
IntroductionActive Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
9/156
To access Windows 2003 network a user needs an account
To access Windows 2003 network a user needs an account
Account determines 3 factors:
when a user may log on
where within the domain/workgroup
what privilege level a user is assigned
Each account has SID that serves as security credentials
Any object trying to access resource must do it through a user account
Windows 2003 has 2 types of accounts
Local Account
Domain Account
User Accounts
7/28/2019 Activ Directory Presentation cum directorui.ppt
10/156
Local Account
Supported on all Windows 2000 and 2003 systems except DCs
On member servers participating in domains and on standalone systemsparticipating in workgroups
Maintained on the local system, not distributed to other systems
Local user account authenticates the user for local machine access only;
access to resources on other computers is not supported
Built-in local accounts: Guest; Administrator
Domain Account
Permit access throughout a domain and provide centralized user
administration through AD
Created within a domain container in AD database and propagated to
all other DCs Once authenticated against AD database using GC, a user obtains
an access token for the logon session, which determines permissions
to all resources in the domain
User Accounts
7/28/2019 Activ Directory Presentation cum directorui.ppt
11/156
Domain accounts names must be unique within the domain, although the same
logon name can be used on several systems with local logon
Logon names are not case sensitive, must not contain more than 20 chars,
and must not contain: +,*,?,,/,\,[,],:,;.
Passwords are case sensitive, must be secure not easy to guess
Renaming account doesnt affect any of the user account properties, except the nam
Accounts can be moved from one container to another
Disabled accounts cant be accessed
When account is copied, most properties are copied, except the username, full name
password, logon hours, address/phone info, organization info, the Account is
disabled option, and user rights and permissions
User Accounts
7/28/2019 Activ Directory Presentation cum directorui.ppt
12/156
Deleting account permanently removes it, and all if its group memberships,
permissions and user rights. The new account with the same name has different
SID and GUID
Disabling an account may be a better option
Administrator is the super account
User Accounts
7/28/2019 Activ Directory Presentation cum directorui.ppt
13/156
A users local profile is located in the Documents and Settings directory on
the local machine
When a user logs on to a machine for the first time, a subdirectory matching their
user name is created under the Documents and Settings directory
In this subdirectory, the users profile is created and named ntuser.dat
The user profile is copied from the Default User directory
Any changes made to the ntuser.dat file in the Default User directory will only affect
new users when they log on
There is also an All Users subdirectory of the Documents and Settings directory
The All Users subdirectory also contains an ntuser.dat file
Changes to this file affect all users logging on to the computer
Local Profiles
7/28/2019 Activ Directory Presentation cum directorui.ppt
14/156
If users access more than one machine or move around the network, a roaming
profile can be created to ensure that the user will receive his or her user settings and
preferences no matter where they log on
When roaming profiles are used, the ntuser.dat file is stored on a network share and
loaded to the local machine when the user logs on
Changes made to the user preferences or settings are copied back to the network
share when the user logs off
The local profile will remain on the local machine, and should the network share be
unavailable the next time the user logs on from that machine, the locally cached profile
will be loaded instead
Changes to the local profile will not be saved back to the network share in this case
Roaming profiles can cause network problems if users save large files to their
Desktop or to their My Documents folder
Roaming Profiles
7/28/2019 Activ Directory Presentation cum directorui.ppt
15/156
Mandatory profiles can be used when the user should be prevented from saving
changes to the user settings or preferences
For example, a profile could be created with many shortcuts to file shares and
applications
Users shouldnt be able to delete these shortcuts and then save the changes back
to the network share
By creating the profile as a mandatory profile, users are able to make changes to
their settings and preferences, but the changes are lost when the user logs off the
machine
A mandatory profile can also be used for a group of people, and then every userwould get the exact same settings and preferences
Mandatory Profiles
7/28/2019 Activ Directory Presentation cum directorui.ppt
16/156
Users can use home folders to store their personal files
A home folder is a folder on a computer, usually a file server, which can be assigned
to users to save documents and files
Home folders are generally used to consolidate user data into one place for easy
backup
Also, many applications use the users home folder as the default location for the
Save As and File Open command
A home folder can be located on a single computer or on a network share, where it
is available to the user anywhere in the network
Home Folders
7/28/2019 Activ Directory Presentation cum directorui.ppt
17/156
Every desktop, workstation, laptop, server, and DC in the network must have a valid
computer account in Active Directory Computer accounts are used to identify acomputer to the domain
Computer accounts are accounts for computers, like a user account is an account
for a person
Active Directory requires that all logons not only come from a valid user, but that thelogon attempt also comes from a valid computer
When a domain controller receives an authentication request, it first checks to make
sure the request is coming from a computer that has a valid computer account in the
domain
The domain wont accept the user logon, even if its valid, if its from a computer that
doesnt belong to the domain
Computer Accounts
7/28/2019 Activ Directory Presentation cum directorui.ppt
18/156
Domain groups allow for user accounts within a domain to be collected into a group
that can then be used to grant access to resources or to assign user rights
There are two types of domain groups
Security Groups
Distribution Groups
A security group is a security principal and so can be used to assign permissions
and rights to a collection of user accounts
A distribution group is not a security principal and cannot be used to assign
permissions
A distribution group is used for e-mail
It can be created when a mailbox is desired for a collection of user accounts, but no
permissions will be needed
Domain groups
7/28/2019 Activ Directory Presentation cum directorui.ppt
19/156
Within each type of group, there is a group scope, There are three possible group
scopes,
Domain local
Global
Universal
Domain local
A domain local group can contain users and global groups from any trusted
domain
However, a domain local group cannot contain domain local groups or local
machine groups
Domain local groups are primarily used to assign permissions to resources
Group Scope
7/28/2019 Activ Directory Presentation cum directorui.ppt
20/156
Group Scope
7/28/2019 Activ Directory Presentation cum directorui.ppt
21/156
Use a domain local group when you want to assign access permissions to resources
that are located in the same domain in which you create the domain local group
You can add all global groups that must share the same resources to the appropriate
domain local group
Global Group
A global group is a security or distribution group that can contain users, groups,
and computers as members from its own domain
Use global groups to organize users by job description or function
You can grant rights and permissions to global security groups for resources inany domain in the forest
Because global groups are visible throughout the forest, do not create them for
the purpose of allowing users access to domain-specific resources
Group Scope
7/28/2019 Activ Directory Presentation cum directorui.ppt
22/156
Universal Group
A universal group is a security or distribution group that can contain users,
groups, and computers as members from any domain in its forest
Universal security groups can be granted rights and permissions on resources in
any domain in the forest
A Windows Server 2003 domain must be in Windows 2000 native mode or
Windows Server 2003 mode to use universal security groups
You can use universal distribution groups in a Windows Server 2003 domain that
is in Windows 2000 mixed mode or higher
Group Scope
7/28/2019 Activ Directory Presentation cum directorui.ppt
23/156
For computers in a Windows 2003 network infrastructure to talk to one another,
one of the key ingredients is the DNS service
DNS is the name resolution mechanism used by Windows Server 2003 clients to
find other computers and services running on those computers
A client consults its configured DNS servers for a list of Active Directory domain
controllers where it will then submit its logon credentials
We will start our discussion of DNS with the NetBIOS (Network Basic Input Output
System) namespace
There are important differences between the DNS namespace and the NetBIOS
namespace, and identifying some of the advantages and disadvantages of eachnamespace can help you understand them
A NetBIOS name is a 16-byte address that identifies a NetBIOS resource on a
network
DNS
7/28/2019 Activ Directory Presentation cum directorui.ppt
24/156
The important thing to keep in mind about the NetBIOS namespace, especially
when contrasting it to the DNS namespace, is that its a flat namespace
DNS, conversely is a hierarchical namespace. Every NetBIOS name must be
unique, period
There is no structure of parent and child namespaces that allows computer or
service names to be used
In the NetBIOS environment, computers and services register unique NetBIOS
names by using a 15-character computer name appended with a 16th hexadecimal
character that identifies the service on the network
If the computer name does not contain 15 characters, the protocol of NetBIOS
dictates that the name is padded with as many spaces as necessary to generate a15-character name
In Windows, this NetBIOS name server is called the Windows Internet Naming
Service, or WINS
NETBIOS
7/28/2019 Activ Directory Presentation cum directorui.ppt
25/156
Without DNS, you would have to know the IP address of every computer you are
communicating with. DNS exists to resolve the names of computers to IP addresses
There are three main components youll find in the Domain Name System. Not just
Microsofts implementation, but any DNS solution. These three items are
Domain name servers
DNS resolvers
The logical namespace
The domain name servers are servers running the DNS software component, wich
store information about a zone file
These name servers provide address resolution and other information about the
computers that you access in both Active Directory domain and in the named
domains across the entire Internet
DNS resolvers are pieces of code that are built into the operating system. These
pieces of code, known also as DNS clients, request resolution of FQDNs to IP
addresses by querying their configured name servers
DNS Components
7/28/2019 Activ Directory Presentation cum directorui.ppt
26/156
The namespace is the logical division of names where DNS objects are stored
Active Directory domain, the namespace can often reflect the organizational chartof a particular company, where the company name starts at the root of the
namespace, and then from there breaks into domains that provide a hierarchy for
your domain enterprise
Fully Qualified Domain Names
The job of a resolver is to request resolution of a fully qualified domain
name (FQDN) to an IP address
A fully qualified domain name represents a host name appended to the
parent namespaces in a hierarchy
The leftmost portion of the FQDN is the host portion of the name. A host
name is an alias we give to an IP address There are organizations outside of your control that manage the topmost
levels of the domain namespace
InterNIC is the organization that manages the top-level namespaces.
DNS Components
7/28/2019 Activ Directory Presentation cum directorui.ppt
27/156
If domains represent logical division of the DNS namespace, zones represent the
physical separations of the DNS namespace
In other words, information about records of the resources within your DNS
domains is stored in a zone file, and this zone file exists on the hard drive of one of
your name servers
Domain name servers are simply servers that store these zone database files,
which in turn provide resolution for records in the zone files
The DNS servers also manage how those zone files are updated and transferred
Zone files are divided into one of two basic types:
Forward lookup zone Provides host-name-to-IP-address resolution
Reverse lookup zone Provides IP-address-to-host-name resolution
When a zone file is first created on a DNS server, that server is said to be
authoritative for that zone.
DNS Zones
7/28/2019 Activ Directory Presentation cum directorui.ppt
28/156
Then, for each child DNS domain name included in a zone, the zone becomes the
authoritative source for the resource records stored in that child domain as well
This means that the DNS server can provide resolution for multiple domains within
a zone file, and all changes to the resource records in both domains are made to the
authoritative zone it stores
Zone Categories
The DNS zones kept on Windows Server 2003 computers can be further
broken down into one of three categories. For each forward or reverse
lookup zone, the file will be one of these types of zones:
Primary zone
Secondary zone
Stub zone
All of the zones you can create in Windows 2003 can be integrated in Active
Directory
DNS Zones
7/28/2019 Activ Directory Presentation cum directorui.ppt
29/156
The primary DNS server for a zone is the location where all updates to the zones
records are made
All changes to the zone are then replicated to secondary servers. This replication
model is called single master replication, where there is a single entity that controls
changes to records
Windows NT 4 used this single master model for directory database replication as
well
This also highlights the biggest drawback of the standard primary server model: it
includes a single point of failure. Just like when an NT 4 primary domain controller
went down, if for any reason the primary server for a zone is unavailable, no updates
to the zone can be made
This does not, however, affect resolution of names as long as secondary servers
for the zone are available, and name-to-IP-address mappings have not changed.
DNS Primary Zones
7/28/2019 Activ Directory Presentation cum directorui.ppt
30/156
When you create a new zone, it will be a primary zone, and the server sorting the
zone will be a primary DNS server. You can then use primary zones in one of two
ways: as Standard Primary Zones
Primary Zones Integrated With Active Directory
Using a standard primary zone, only a single DNS server will host and load the
master copy of the zone
Further, only that server is allowed to accept dynamic updates, and no additional
primary servers for the zone are permitted
You typically implement a standard primary zone when you need to replicate zone
information with DNS servers running on other platforms such as Unix
If you want to add more primary servers for a zone, you need to configure an
Active Directoryintegrated zone, which will then take advantage of Active Directory
integrated storage and replication features of the DNS Server service
DNS Primary Zones
7/28/2019 Activ Directory Presentation cum directorui.ppt
31/156
Any time you have a secondary of anything, it is usually for load balancing and
fault tolerance
The secondary servers are secondary servers because they store copies of zone
files
Changes to the DNS domains are made at the primary zone level and then are
copied to secondary zones for secondary zone servers
At the end of the day, theyll both end up storing the same information; its just that
changes to the domain are made at the primary level, not the secondary level
A DNS server can be a primary name server and a secondary name server at the
same time
The designation is made by what kind of zone file is stored on the server, and you
can store both primary and secondary zones on the same machine
DNS Secondary Zones
7/28/2019 Activ Directory Presentation cum directorui.ppt
32/156
Each record stored in a zone file has a specific purpose
Some of the records set the behaviour of the name server, others have the job ofresolving a host name or service into an IP address
Resource Records Stored in a Zone File
7/28/2019 Activ Directory Presentation cum directorui.ppt
33/156
There have been several enhancements to the DNS features available with the
Windows 2003 implementation of DNS, especially when compared to Microsofts
earlier deployments of the DNS service. Some of the improvements include thefollowing:
Conditional forwarders DNS queries can be sent to specific DNS servers if
they meet a defined set of conditions. For example, the 2003 DNS server can be
set so that all queries of FQDNs that end in hclcomnet.co.in be forwarded to a
specific DNS server
Stub zones Stub zones keep a DNS server that hosts a parent zone aware of
the authoritative DNS servers for its child zone. This improves efficiency of DNS
name resolution
Enhanced DNS zone replication in Active Directory You now have four
replication choices for Active Directoryintegrated DNS zone data
Enhanced debug logging The DNS server has been written with enhanced
debug logging options to aid in troubleshooting of DNS name resolution
Updates to Windows Server 2003s DNS
7/28/2019 Activ Directory Presentation cum directorui.ppt
34/156
Now that we have an understanding of the components of the DNS infrastructure,
we need to also understand how a DNS client resolves an FQDN to an IP address
There are actually many ways. A client can sometimes answer a query using
information cached from a previously successfully resolved name. In fact, this is the
first location the DNS resolver checks
If the check of the cache is unsuccessful in providing IP address resolution, the
resolver gets help from its configured DNS server. This process is known as arecursive query
The DNS server in turn can use its own cache of resource record information to
answer a query. Barring a quick resolution from the DNS servers cache, the server
begins a walk of the DNS tree through a series of iterative queries
Resolving a Host Name
7/28/2019 Activ Directory Presentation cum directorui.ppt
35/156
Any time you enter a fully qualified domain name into an application, your
operating system uses the resolver piece of code to query its configured DNS server
(or servers) to get an IP address for the name you have just entered
Locally configured DNS server has a zone file that contains a record for the
resource youre trying to browse to (or if its contained in the servers cache), that
resources IP address is returned to your resolver
In most cases, the zone file is not going to hold the IP address for the record thatyoure trying to look up
The computer doesnt care what the name of the computer is; in order to
communicate, it needs the IP address. The first place it looks for resolution is its
configured DNS server
This query to the locally configured DNS server is called a recursive query
Forward Lookup Resolution of FQDNs
7/28/2019 Activ Directory Presentation cum directorui.ppt
36/156
If the local DNS server does not have an A record that maps to an IP address, the
clients local DNS server if its configured to do so will begin looking through the entire
DNS hierarchy on behalf of the DNS client
The DNS server performs the name resolution; the DNS client sits there and waits
for a response to its recursive query
The clients local DNS server then talks to other DNS servers throughout the DNS
hierarchy using a series of iterative queries
The client asks its local DNS server using a recursive query. A recursive query
says, basically, give me the answer or tell me that you cant find it. Its a pass/fail type
of proposition
The other type of query, where other DNS servers are talking to each other as thelocal DNS server is walking the domain tree, is called an iterative query. When your
DNS server uses an iterative query
Forward Lookup Resolution of FQDNs
7/28/2019 Activ Directory Presentation cum directorui.ppt
37/156
Forward Lookup Resolution of FQDNs
7/28/2019 Activ Directory Presentation cum directorui.ppt
38/156
The logical components of Active Directory are important because they define how
the computing enterprise will be administered. By designing and determining the
logical elements of Active Directory, we become the architects of the network
There are four logical components of Active Directory. They are
Domains
Trees
Forests
Organizational units
Logical Elements of Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
39/156
A Windows 2003 Active Directory domain is a logical collection of users and
computers
In other words, its an organizational entity that groups together the objects in your
enterprise
With a domain in place, you have several benefits, including the following:
They enable you to organize objects within a single department or single
location, and all information about the object is available
They act as security boundaries. Domain admins exercise complete control
over all domain objects. Further, in Windows 2003 Active Directory, Group
Policies, another kind of domain object, can be applied to determine how
resources can be managed and accessed
Domain objects can be made available to other domains
Domain names follow established DNS naming conventions, permitting the
creation of child domains to best suit your administrative needs
Domains
7/28/2019 Activ Directory Presentation cum directorui.ppt
40/156
Domains allow control over replication. That is, domain objects are fully replicated
to other domain controllers within a domain, but not to other domains in an Active
Directory enterprise
Domains
7/28/2019 Activ Directory Presentation cum directorui.ppt
41/156
Once youve decided to create domains in your enterprise, you may find that you
need more than one domain to best reflect the administrative structure of your
company
Domains have many benefits; thus, you may find compelling reasons to apply
these benefits separately to various groups of users and computers in your
organization
The domains exist in a tree, and trees subsequently live in a forest. If you want tolink your Windows 2003 domains together for purposes of administration and/or
sharing of resources youll need to start building Active Directory trees and forests
The hallmark of an Active Directory tree is that it is a contiguous linking of one or
more Active Directory domains that share a common namespace
In other words, the domains are linked together in parent-child relationships as far
as the naming conventions go
Trees
7/28/2019 Activ Directory Presentation cum directorui.ppt
42/156
A forest lets you link together multiple domain trees in a hierarchical arrangement
The goal in designing a forest is the same as when designing a tree: to define andmaintain an administrative relationship between the domains
All domains in the tree are linked by two-way, transitive trust relationships, and all
tree roots in the forest are likewise linked by two-way, transitive trusts
We need to choose our forest root domain with caution. Once established, theforest root cannot be changed without decommissioning the entire logical Active
Directory infrastructure
In Windows Server 2003, it is now possible to rename the forest root domain, but
the domain designated as the forest root cannot be changed once established.
Forests
7/28/2019 Activ Directory Presentation cum directorui.ppt
43/156
When properly implemented, an organizational unit (OU) is the administrative
lynchpin of a Windows 2003 Active Directory hierarchy
It is a container object within a domain that represents sub administrative entities
within an Active Directory
Organizational units are used to group together domain computers, users, and
other domain objects into an administrative collection
These collections are kept as separate logical units
Windows 2003 domains are designed to be self-contained, and through the use of
organizational units, you have a lot of flexibility about how that domain is administered
OUs are not groups; they are administrative containers. Anything you can put intothe domain, anything you can put into an Active Directory database, you can put into
an organizational unit
Organizational Units
U d di h Ph i l El f A i Di
7/28/2019 Activ Directory Presentation cum directorui.ppt
44/156
These logical structures are, however, physically created as software objects
But these objects dont live in a vacuum; they have to be created somewhere, andthey have to be stored somewhere. Furthermore, the information has to be shared
with other computers
An Active Directory structure contains two physical components
SITES
DOMAIN CONTROLLERS
The job of a domain controller is to store a writable copy of the Active Directory
database for the domain of which it is a member
Sometimes, these domain controllers will store additional information like the
Global Catalog. Sometimes, the domain controllers play important roles in the
functioning of the network and sometimes, they perform many of these tasks at once
Understanding the Physical Elements of Active Directory
U d di h Ph i l El f A i Di
7/28/2019 Activ Directory Presentation cum directorui.ppt
45/156
All of the objects in the domains Active Directory databasethe user accounts,
the groups, the computer accounts, the organizational units, and so forthare stored
within a domain controller, and all domain controllers within a single domain act aspeers
When domain controllers act as peers, they engage in multimaster replication. The
multimaster replication model is a carryover from the Windows 2000 Active Directory
environment, but it represents a significant departure from the single-master
replication model used by Windows NT 4.0 domain controllers
All changes to the Windows NT 4.0 directory database were made at a Primary
Domain Controller (PDC) and then replicated out to Backup Domain Controllers
(BDCs). This is no longer the case
When Windows Server 2003 domain controllers engage in multimaster replication,a change to the Active Directory database can be made at any of the domain
controllers, and these changes will be then reflected on other domain controllers after
replication
Understanding the Physical Elements of Active Directory
I l i A i Di Si T l
7/28/2019 Activ Directory Presentation cum directorui.ppt
46/156
The simple definition of a site is a collection of one or more well-connected IP
subnets. More importantly, though, a site is a unit of Active Directory replication
If the domain controllers job is to store and replicate the Active Directory
database, then the sites job is to govern how that replication occurs
A site is also used by Active Directory to manage the following:
Logon traffic, ensuring that a client located and submits credentials to localdomain controllers when possible
Requests to the Global Catalog, by keeping all such requests local (if there is
at least one Global Catalog server per site, as is recommended)
Optimization of traffic for Active Directoryaware applications, such as theDistributed File System (DFS)
Implementing an Active Directory Site Topology
Th R l f h K l d C i Ch k
7/28/2019 Activ Directory Presentation cum directorui.ppt
47/156
If the sites exist to control replication traffic, how does Active Directory build the
replication topology between a sites domain controllers?
Automatically, using the Knowledge Consistency Checker
During the Active Directory installation process, each domain controller is made
aware of other domain controllers within the same domain
The Knowledge Consistency Checker works to ensure that every one of these
domain controllers has at least one replication partner, or peer
The end result of the KCCs hard work is that all domain controllers are able to get
updated Active Directory information from all others using a fault-tolerant ring
topology
The other job of the Knowledge Consistency Checker is to allow Active Directory totake care of the replication of directory database information without administrators
having to worry about it too much, or configure it manually
The Role of the Knowledge Consistency Checker
Th R l f h K l d C i Ch k
7/28/2019 Activ Directory Presentation cum directorui.ppt
48/156
Manual creation of replication links between domain controllers can still be done,
but Microsoft doesnt recommend it
The Knowledge Consistency Checker automates the replication process, ensures
the replication topology, minimizes replication latency, and checks all replication links
every 15 minutes to ensure that the main controllers are functioning properly
Further, if one of the domain controllers should be taken offline, the KCC
automatically regenerates a new replication topology between domain controllers forthe domain
So again, you dont have to do much. You can kind of fall backwards into a good
working network with Windows Server 2003
The Role of the Knowledge Consistency Checker
R li i H d Wh
7/28/2019 Activ Directory Presentation cum directorui.ppt
49/156
Replication between the domain controllers in an Active Directory domain, no
matter in which sites those domain controllers live, works by keeping track of a
version number assigned to the Active Directory database
This version number is called an Update Sequence Number (USN), and it is used
to track the changes made to each copy of Active Directory
Every time a change is made to the database, the domain controller updates the
database USN where the change was made
Every domain controller keeps track of its USN and, more importantly, the USNs of
its replication partners
Then, every 5 minutes (this is the default interval), the domain controller checks for
changes from its replication partners in the same site
If a domain controller finds that its replication partner has an update to its USN, it
then requests that all changes since the last known USN be sent
Replication: How and Why
R li i H d Wh
7/28/2019 Activ Directory Presentation cum directorui.ppt
50/156
Even if a domain controller has been offline for an extended time, it can quickly be
sent all updates to the Active Directory database when it comes back online
Two types of Replication
Replication within Sites (Intrasite)
Replication Between Sites (Intersite)
Replication within a site is handled by the Knowledge Consistency Checker
Replication between sites is handled by ITG
The job of the KCC is to evaluate the domain controllers within a site and
automatically establish and maintain a ring-based replication topology
It does this by automatically creating connection objects between two domain
controllers within a site
Each domain controller will have at least one two replication partners, if applicable
(if there are only two domain controllers in a site, those domain controllers will only
have one partner)
Replication: How and Why
R li ti H d Wh
7/28/2019 Activ Directory Presentation cum directorui.ppt
51/156
You can manually create these connection objects between domain controllers,
or force replication between two domain controllers, but normally you would never
need to do so
To force replication over a connection object, right-click the connection object and
choose Replicate Now from the context menu
KCC is a dynamic process. That is, it automatically adjusts the replication topology
as network conditions change
As domain controllers or subnets are added or removed from a site, the KCC
constantly checks to make sure each domain controller is able to exchange
information with at least two others within the site, thus keeping the ring topology
intact
So even though you need to do virtually nothing to tweak the performance of the
KCC in a production network, your job as a test candidate is to make sure you
understand the purpose of the KCC
Replication: How and Why
R li ti H d Wh
7/28/2019 Activ Directory Presentation cum directorui.ppt
52/156
Moreover, heres what else you need to know about intrasite replication:
Replication does not use compression This behaviour reduces the processing
load on domain controllers. (Processing cycles are needed to compress and
uncompress information)
Replication occurs based on a notification process When a domain controller
has an update to its Active Directory database, it notifies the other domain
controllers in the same site
These domain controllers then contact the notifying domain controller and
request that the changes to the database be sent
Replication: How and Why
Replication: How and Why
7/28/2019 Activ Directory Presentation cum directorui.ppt
53/156
Replication between sites happens automatically after you define configurable
values, such as a schedule or a replication interval
You can schedule replication for inexpensive or off-peak hours
By default, changes are replicated between sites according to a manually defined
schedule and not according to when changes occur
The schedule determines at which times replication is allowed to occur
The interval specifies how often domain controllers check for changes during the
time that replication is allowed to occur
Replication traffic between sites is designed to optimize bandwidth by compressing
all replication traffic between sites
Replication traffic is compressed to 10 to 15 percent of its original size before it is
transmitted
Although compression optimizes network bandwidth that is required, it imposes an
additional processing load on domain controllers for the compression and
decompression of replication data
Replication: How and Why
Replication: How and Why
7/28/2019 Activ Directory Presentation cum directorui.ppt
54/156
The intersite topology generator is an Active Directory process that runs on one
domain controller in a site
A single domain controller in each site is automatically designated to be the
intersite topology generator
The intersite replication topology defines the replication between sites on a
network
It also selects one or more domain controllers to become bridgehead servers. If a
bridgehead server becomes unavailable it will automatically select another
bridgehead server, if possible
It runs the KCC to determine the replication topology and resultant connection
objects to be used by the bridgehead servers o communicate with the bridgeheadservers of other sites
If the domain controller designated as the intersite topology generator becomes
unavailable, another domain controller will be automatically designated
Replication: How and Why
The Active Directory database
7/28/2019 Activ Directory Presentation cum directorui.ppt
55/156
The Active Directory database is logically separated into directory partitions, a
schema partition, a configuration partition, domain partitions, and application
partitions
Each partition is a unit of replication, and each partition has its own replication
topology
Replication is performed between directory partition replicas
All domain controllers in the same forest have at least two directory partitions in
common: the schema and configuration partitions
All domain controllers in the same domain, in addition, share a common domain
partition
The Active Directory database
Active Directory partitions
7/28/2019 Activ Directory Presentation cum directorui.ppt
56/156
Each domain controller contains the following Active Directory partitions:
Schema Partition : There is only one schema partition per forest. The schema
partition is stored on all domain controllers in a forest
The schema partition contains definitions of all objects and attributes that can be
created in the directory, and the rules for creating and manipulating them
Schema information is replicated to all domain controllers in the forest, so all
objects must comply with the schema object and attribute definitions
Configuration Partition : There is only one configuration partition per forest. The
configuration partition is stored on all domain controllers in a forest
The configuration partition contains information about the forest-wide ActiveDirectory structure, including what domains and sites exist, which domain controllers
exist in each, and which services are available
Configuration information is replicated to all domain controllers in a forest
Active Directory partitions
Active Directory partitions
7/28/2019 Activ Directory Presentation cum directorui.ppt
57/156
Domain Partitions :There can be many domain partitions per forest. The domain
partitions are stored on all of the domain controllers of the given domain
A domain partition holds information about all domain-specific objects created in thatdomain, including users, groups, computers, and organizational units
The domain partition is replicated to all domain controllers of that domain. All objects in
every domain partition in a forest are stored in the Global Catalog with only a subset of its
attribute values
Application partitions : Store application-specific information in Active Directory. Each
application determines how it will store, categorize, and use application-specific
information
To prevent unnecessary replication of specific application partitions, Active Directory
administrators can designate which domain controllers in a forest will host specificapplication partitions
The application partition is different than a domain partition in that it is not allowed to
store security principal objects such as user accounts. In addition, the data in an
application partition is not stored in the Global Catalog.
Active Directory partitions
Active Directory partitions
7/28/2019 Activ Directory Presentation cum directorui.ppt
58/156
Active Directory partitions
What Are Operations Masters?
7/28/2019 Activ Directory Presentation cum directorui.ppt
59/156
When a change is made to a domain, the change is replicated across all of the
domain controllers in the domain
Some changes, such as those made to the schema, are replicated across all of the
domains in the forest
This replication is called multimaster replication
During multimaster replication, a replication conflict can occur if originatingupdates are performed concurrently on the same object attribute on two domain
controllers
To avoid replication conflicts, you use single master replication, which designates
one domain controller as the only domain controller on which certain directory
changes can be made
This way, changes cannot occur at different places in the network at the same
time. Active Directory uses single master replication for important changes, such as
the addition of a new domain or a change to the forest-wide schema.
What Are Operations Masters?
What Are Operations Masters?
7/28/2019 Activ Directory Presentation cum directorui.ppt
60/156
Operations that use single-master replication are arranged together in specific
roles in a forest or domain, these roles are called operations master roles
For each operations master role, only the domain controller that holds that role can
make the associated directory changes
The domain controller that is responsible for a particular role is called an
operations master for that role
Active Directory stores information about which domain controller holds a specific
role
Active Directory defines five operations master roles, each of which has a
default location
Operations master roles are either forest-wide or domain-wide
What Are Operations Masters?
Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
61/156
There are 5 Operations Master Roles and they are
Schema master
Domain naming master
PDC Emulator
RID Master
Infrastructure Master
Operations Master Roles
Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
62/156
Schema master
Controls all updates to the schema
The schema contains the master list of object classes and attributes that are
used to create all Active Directory objects, such as users, computers, and
printers
Whenever you are extending the schema or are installing an application thatdoes so, such as Exchange Server, the schema master must be available
Domain naming master
Controls the addition or removal of domains in the forest
When you add a new domain to the forest, only the domain controller that
holds the domain naming master role can add the new domain
Operations Master Roles
Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
63/156
Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain controllers (BDCs)
running Microsoft Windows NT within a mixed-mode domain
This type of domain has domain controllers that run Windows NT 4.0
The PDC emulator is the first domain controller that you create in a new
domain
By default, this FSMO server is responsible for synchronizing the time on all
domain controllers throughout the domain
The PDC emulator is also the first domain controller notified whenever
password changes are performed by other domain controllers in the domain
If a user submits a logon to a domain controller that does not have the
updated password, the logon request is forwarded to the PDC emulator before
rejecting the logon attempt.
Operations Master Roles
Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
64/156
Relative identifier master
When a new object is created, the domain controller creates a new securityprincipal that represents the object and assigns the object a unique security
identifier (SID)
This SID consists of a domain SID, which is the same for all security principals
created in the domain, and a relative identifier (RID), which is unique for each
security principal created in the domain
The RID master allocates blocks of RIDs to each domain controller in the
domain
The domain controller then assigns a RID to objects that are created from its
allocated block of RIDs
Operations Master Roles
Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
65/156
Infrastructure master
When objects are moved from one domain to another, the infrastructuremaster updates object references in its domain that point to the object in the
other domain
The object reference contains the objects globally unique identifier (GUID),
distinguished name, and a SID
Active Directory periodically updates the distinguished name and the SID on
the object reference to reflect changes made to the actual object, such as moves
within and between domains and the deletion of the object
Additionally, the infrastructure master is in charge of updating group-to-user
references whenever members of groups are modified
Operations Master Roles
Planning Flexible Operations Master Role Placement
7/28/2019 Activ Directory Presentation cum directorui.ppt
66/156
In every forest, five FSMO roles are assigned to one or more domain controllers
Two of these operations masters are forest-wide: there is only one such server in
the forest
Schema Master
Domain Naming Master
Three are domain-wide roles: in every forest, certain single-master roles will be
held on only one server per domain
PDC Emulator
RID Master
Infrastructure Master
Planning Flexible Operations Master Role Placement
Roles performed by the schema master
7/28/2019 Activ Directory Presentation cum directorui.ppt
67/156
An Active Directory schema defines the kinds of objects and the types of
information about those objects that you can store in Active Directory
The definitions are stored as objects so that Active Directory can manage the
schema objects with the object management operations that its uses to manage other
objects in the directory
The schema master performs the following roles:
Controls all originating updates to the schema
Contains the master list of object classes and attributes that are used to
create all Active Directory objects
Replicates updates to the Active Directory schema to all domain controllers inthe forest by using standard replication of the schema partition
Allows only the members of the schema Admin group to make modifications to
the schema
Roles performed by the schema master
7/28/2019 Activ Directory Presentation cum directorui.ppt
68/156
The effect of the schema master being unavailable
7/28/2019 Activ Directory Presentation cum directorui.ppt
69/156
Having only one schema master per forest prevents any conflicts that would result
if two or more domain controllers attempt to simultaneously update the schema
Temporary loss of the schema master is not visible to network users or to network
administrators unless they are trying to modify the schema or install an application
that modifies the schema during installation
If the schema master is unavailable and you need to make a change to the
schema, you can seize the role to a standby operations master
The effect of the schema master being unavailable
Roles performed by the Domain Naming Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
70/156
When you add or remove a domain from a forest, the change is recorded in Active
Directory
The domain naming master controls the addition or removal of domains in the forest
There is only one domain naming master per forest
When you add a new domain to the forest, only the domain controller that holds
the domain naming master role can add the new domain
The domain naming master prevents multiple domains with the same domain
name from joining the forest
When you use the Active Directory Installation wizard to create a child domain, it
contacts the domain naming master and requests the addition or deletion
Roles performed by the Domain Naming Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
71/156
The effect of the Domain Naming Master being unavailable
7/28/2019 Activ Directory Presentation cum directorui.ppt
72/156
Like the schema master, temporary loss of the domain naming master is not visible
to network users or to network administrators unless the administrator is trying to add
a domain to the forest or remove a domain from the forest
If the domain naming master is unavailable, you cannot add or remove domains
If the domain naming master will be unavailable for an unacceptable length of
time, you can seize the role from the standby operations master
To seize a role is to move it without the cooperation of its current owner. It is best
to avoid seizing roles
g g
Roles performed by the PDC Emulator
7/28/2019 Activ Directory Presentation cum directorui.ppt
73/156
The PDC emulator acts as a Microsoft Windows NT Primary Domain Controller
(PDC) to support any backup domain controllers (BDCs) running Windows NT in a
mixed-mode domain
When you create a domain, the PDC emulator role is assigned to the first domain
controller in the new domain
Acts as the PDC for any existing BDCs.
Manages password changes from computers running Windows NT, Microsoft
Windows 95 or Windows 98. You must write password changes directly to the PDC
Minimizes replication latency for password changes
Synchronizes the time on all domain controllers throughout the domain to its time
Roles performed by the PDC Emulator
7/28/2019 Activ Directory Presentation cum directorui.ppt
74/156
What Is the RID Master?
7/28/2019 Activ Directory Presentation cum directorui.ppt
75/156
Whenever a domain controller creates a new security principal, such as a user,
group, or computer object, it assigns the object a unique security identifier (SID)
This SID consists of a domain SID, which is the same for all security principals
created in the domain, and a RID, which is unique for each security principal created
in the domain
Creating objects
To allow a multimaster operation to create objects on any domain, theRID master allocates a block of RIDs to a domain controller
When a domain controller needs an additional block of RIDs, it contacts
the RID master, which allocates a new block of RIDs to the domain
controller, which in turn assigns them to the new objects
If a domain controllers RID pool is empty, and the RID master is
unavailable, you cannot create new security principals on that domain
controller
7/28/2019 Activ Directory Presentation cum directorui.ppt
76/156
What Is the Infrastructure Master?
7/28/2019 Activ Directory Presentation cum directorui.ppt
77/156
The infrastructure master is a domain controller that is responsible for updating
object references in its domain that point to objects in another domain
Active Directory periodically updates the distinguished name and SID to reflectchanges made to the actual object, such as moves within and between domains and
the deletion of the object
The infrastructure master updates object identification according to the following
rules:
If the object moves at all, its distinguished name will change because the
distinguished name represents its exact location in the directory
If the object is moved within the domain, its SID remains the same
If the object is moved to another domain, the SID changes to incorporate thenew domain SID
Infrastructure master and the global catalog
7/28/2019 Activ Directory Presentation cum directorui.ppt
78/156
The infrastructure master should not be the same domain controller that hosts the
global catalog
If the infrastructure master and the global catalog are on the same computer, theinfrastructure master does not function because it does not contain any references to
objects that it does not hold
In addition, the domain replica data and the global catalog server data cannot exist
on the same domain controller
Periodically, the infrastructure master for a domain examines the references in its
replica of the directory data to objects that are not held on that domain controller
It queries a global catalog server for current information about the distinguished
name and SID of each referenced object
If this information has changed, the infrastructure master makes the change in its
local replica
g g
Transferring and Seizing Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
79/156
When you create a Microsoft Windows Server 2003 domain, Windows Server
2003 automatically configures all of the operations master roles
However, you may need to reassign an operations master role to another domaincontroller in the forest or the domain
To reassign an operations master role, determine the holder of the operations
master role and then either transfer or seize the operations master role
g g p
Transfer of Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
80/156
The placement of operations master roles in a forest is done when the forest and
domain structure is implemented, and requires change only when making a major
change to the domain infrastructure
Such changes include decommissioning a domain controller that holds a role or
adding a new domain controller that is better suited to hold a specific role
Transferring an operations master role means moving it from one functioning
domain controller to another
To transfer roles, both domain controllers must be up and running and connected
to the network
No data loss occurs when you transfer an operations master role as this transfer
uses the normal directory replication mechanism
The process of role transfer involves replicating the current operations master
directory to the new domain controller, which ensures that the new operations master
has the most current information available
p
7/28/2019 Activ Directory Presentation cum directorui.ppt
81/156
Transfer of Operations Master Roles
7/28/2019 Activ Directory Presentation cum directorui.ppt
82/156
To transfer an operations master role, you must have the appropriate Permissions
The following table lists the groups that you must be a member of to transfer an
operations master role
p
Seizing an operations master role
7/28/2019 Activ Directory Presentation cum directorui.ppt
83/156
Seizing an operations master role means forcing an operations master role on
another domain controller that cannot contact the failed domain controller and
perform a transfer
Seizing an operations master role is a drastic step
Do it only if the current operations master will never be available again and if a role
cannot be transferred
Because the previous role holder is unavailable during a seizure, you cannot
reconfigure or inform it that another domain controller now hosts the operations
master role
To reduce risk, perform a role seizure only if the missing operations master role
unacceptably affects performance of the directory
Calculate the effect by comparing the impact of the missing service to the amount
of work that is needed to bring the previous role holder safely back online after you
perform the role seizure
g p
7/28/2019 Activ Directory Presentation cum directorui.ppt
84/156
Seizing an operations master role
7/28/2019 Activ Directory Presentation cum directorui.ppt
85/156
If the previous role holder comes back online after you seize an operations master
role, it waits until after a full replication cycle before resuming the role of operations
master
This way, it can see if another operations master exists before it comes back
online
If it detects one, it reconfigures itself to no longer host the roles in question
Active Directory continues to function when the operations master roles are
unavailable
If the role holder is only offline for a short time, you may not need to seize the role
to a new domain controller
g p
7/28/2019 Activ Directory Presentation cum directorui.ppt
86/156
Guidelines for Placing Operations Masters
7/28/2019 Activ Directory Presentation cum directorui.ppt
87/156
In each child domain, leave the PDC emulator, RID master, and Infrastructure
master roles on the first server in the domain, and ensure that this server is never
designated as a global catalog server
In each domain in the forest, the server that holds the operations master roles
should have both high availability and high capacity
A highly available domain controller is one that uses computer hardware that
enables the domain controller to remain operational even during a hardware
failure. For example, having a redundant array of independent disks (RAID) may
enable the domain controller to keep running if a single hard disk fails
A high-capacity domain controller is one that has comparatively higher
processing power than other domain controllers to accommodate the additional
work load from holding the operations master role. It has a faster CPU and
possibly additional memory and network bandwidth
7/28/2019 Activ Directory Presentation cum directorui.ppt
88/156
Guidelines for Placing the Schema Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
89/156
The schema master is a forest-wide operations master role
It controls all originating updates to the schema. If the schema master isunavailable, you cannot modify the schema
By default, the first domain controller of a new forest holds the schema master role
Make a highly available domain controller the schema master
Since the schema defines all the objects that Active Directory can store, it is critical
to record all changes that are made to the schema
Do not require that the schema master be a high-capacity domain controller
Schema changes are infrequent, the average server load is minimal, and theaverage replication traffic is not an overall concern
Guidelines for Placing the Domain Naming Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
90/156
The domain naming master is a forest-wide operations master role
It controls the addition or removal of domains in the forest
By default, the first domain controller of a new forest holds the domain naming
master role
Use a highly available domain controller as the domain naming master
High availability is necessary when you add or remove a domain to or from the
forest
Do not require that the domain naming master be a high-capacity domain
controller
Adding and removing domains are infrequent tasks and the average server load is
minimal.
Guidelines for Placing the PDC Emulator Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
91/156
The PDC emulator master is a domain-wide operations master role
It acts as a PDC in Windows NT to support any backup domain controllers (BDCs)running Windows NT within a domain that is set to either the Windows 2000 mixed or
Windows interim domain functionality
The first domain controller that you create in a new domain is assigned the PDC
emulator role
Use a highly available domain controller as the PDC emulator
All domain controllers frequently access the PDC emulator for password changes,
forwarding of mismatched passwords during logon, time synchronization, and support
of BDCs and clients running Windows NT and earlier
Use a high-capacity domain controller as the PDC emulator
Guidelines for Placing the PDC Emulator Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
92/156
Because there would be an increased load placed on this domain controller, do one
of the following:
Increase the size of the domain controllers processing power
Do not make the domain controller a global catalog server
Reduce the priority and weight of the service (SRV) record to give preference for
authentication to other domain controllers in the site
Centrally locate this domain controller to accommodate the majority of the domain
users
Guidelines for Placing the RID Master
7/28/2019 Activ Directory Presentation cum directorui.ppt
93/156
Use a highly available domain controller as the RID master
High availability is critical to the continued creation of security principals and to
help prevent the necessity for seizing
Do not require that the RID master be a high-capacity domain controller
Creating security principals is typically an ongoing operation without large peaks.
Also, because RIDs are distributed in blocks of 500 to each domain controller, the
average server load and average replication traffic are minimal
Configure the domain controller that holds the RID master role as a direct
replication partner with the domain controller that is the standby or backup RID
master
This configuration reduces the risk of losing data when you seize the role because
replication latency is minimized
Centrally locate the RID master in your network if no site performs most of the user
account creation
7/28/2019 Activ Directory Presentation cum directorui.ppt
94/156
7/28/2019 Activ Directory Presentation cum directorui.ppt
95/156
Single Sign On How Active Directory Service enable a Single Sign On that allow the users to
access the approved resources
A Single Sign on consists of two parts
Authentication
Which verifies the credentials of the connection attempt
Authorisation
Which verifies that the connection attempt is allowed
Authorisation process happens only after a successful authentication
In the next slides we will see Authentication & Authorisation process in detail
Single Sign On Authentication
7/28/2019 Activ Directory Presentation cum directorui.ppt
96/156
Single Sign On Authentication
1. The user enters the credentials at a workstation to logon
2. The credentials are encrypted by the client and sent to a domain controller for
the client's domain
Single Sign On Authentication
7/28/2019 Activ Directory Presentation cum directorui.ppt
97/156
Single Sign On Authentication3. The KDC (Key Distribution Center) compares the credentials with the credentials
that the KDC stores
If the credentials match then the process continues
Single Sign On Authentication
7/28/2019 Activ Directory Presentation cum directorui.ppt
98/156
Single Sign On Authentication4. The domain controller creates a list of the domain-based groups that the user
belongs to
Single Sign On Authentication
7/28/2019 Activ Directory Presentation cum directorui.ppt
99/156
Single Sign On Authentication5. The domain controller then queries the global catalog to identify the universal
groups that the user belongs to
7/28/2019 Activ Directory Presentation cum directorui.ppt
100/156
Single Sign On Authorization
7/28/2019 Activ Directory Presentation cum directorui.ppt
101/156
Single Sign On Authorization7. The client requests access to a resource that resides on a specific server
Single Sign On Authorization
7/28/2019 Activ Directory Presentation cum directorui.ppt
102/156
Single Sign On Authorization8. The client uses the TGT to access the TGS
Single Sign On Authorization
7/28/2019 Activ Directory Presentation cum directorui.ppt
103/156
Single Sign On Authorization9. The TGS issues a session ticket to the client for the server that the resource
resides on. The session ticket also contains the SIDs for the user's group
memberships
Single Sign On Authorization
7/28/2019 Activ Directory Presentation cum directorui.ppt
104/156
Single Sign On Authorization10.The client presents the session ticket to the server
Single Sign On Authorization
7/28/2019 Activ Directory Presentation cum directorui.ppt
105/156
Single Sign On Authorization11. The LSA compares the SIDs in the access token with the groups that are
assigned permissions in the resource's DACl
If they match, the user is granted access to the resource
Single Sign On Conclusion
7/28/2019 Activ Directory Presentation cum directorui.ppt
106/156
S g S g O CTo conclude Authentication and authorization are complex process, we will review it
now
Granting Access Between Domains
7/28/2019 Activ Directory Presentation cum directorui.ppt
107/156
If an enterprise has multiple domains, in order for a user in one domain to access a
resource in another domain, there needs to first be a trust relationship created between
the two domains
Once the trust relationship has been created, users from one domain will be able to
access resources in the other domain
Trust relationships have evolved significantly since they were introduced back in the
NT days
When trusts were first being implemented, it was a very simple model with one
domain trusting another, and administrators in each domain were responsible for
maintaining their part of the trust
Windows 2000 introduced the two-way transitive trust
Windows Server 2003 takes the trust a step further with a forest trust and by
enabling a single administrator to configure both sides of the trust
Granting Access Between Domains
7/28/2019 Activ Directory Presentation cum directorui.ppt
108/156
A transitive trust is a trust in which the two domains forming the trust not only trust
each other, but other trusted domains as well
If domain A trusts domain B, and domain B trusts domain C, then domain A also
trusts domain C
Nontransitive trusts are not automatic and must be set up
An example of a nontransitive trust is an external trust, such as the trust between adomain in one forest and a domain in another forest
Shortcut trusts are only partially transitive because trust transitivity is extended
only down the hierarchy from the trusted domain not up the hierarchy
Forest trusts are also only partially transitive because forest trusts can only be
Granting Access Between Domains
7/28/2019 Activ Directory Presentation cum directorui.ppt
109/156
Forest trusts are also only partially transitive because forest trusts can only be
created between two forests and they cannot be implicitly extended to a third forest
For example, if forest 1 trusts forest 2, and forest 2 trusts forest 3, domains inforest 1 transitively trust domains in forest 2, and domains in forest 2 transitively trust
domains in forest 3. However, forest 1 does not transitively trust forest 3.
Introduction to Maintaining Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
110/156
Maintenance of the Active Directory database is an important administrative task
that must be regularly scheduled to ensure that, in the case of disaster, you can
recover lost or corrupted data and repair the Active Directory database
Active Directory has its own database engine, the Extensible Storage Engine
(ESE), which manages the storage of all Active Directory objects in the Active
Directory database
An understanding of how the changes that are made to attributes in ActiveDirectory are written to the database will help you understand how data modification
affects database performance, database fragmentation, and data integrity
Active Directory support files and their functions
7/28/2019 Activ Directory Presentation cum directorui.ppt
111/156
Ntds.dit
This is the main AD database
NTDS stands for NT Directory Services. The DIT stands for Directory
Information Tree
The Ntds.dit file on a particular domain controller contains all naming contexts
hosted by that domain controller, including the Configuration and Schemanaming contexts
A Global Catalog server stores the partial naming context replicas in the
Ntds.dit right along with the full Domain naming context for its domain.
Active Directory support files and their functions
7/28/2019 Activ Directory Presentation cum directorui.ppt
112/156
Edb.log
This is a transaction log
Any changes made to objects in Active Directory are first saved to a
transaction log
During lulls in CPU activity, the database engine commits the transactions into
the main Ntds.dit database
This ensures that the database can be recovered in the event of a system
crash
Entries that have not been committed to Ntds.dit are kept in memory to
improve performance
Transaction log files used by the ESE engine are always 10MB.
Active Directory support files and their functions
7/28/2019 Activ Directory Presentation cum directorui.ppt
113/156
Edbxxxxx.log
These are auxiliary transaction logs used to store changes if the main Edb.logfile gets full before it can be flushed to Ntds.dit
The xxxxx stands for a sequential number in hex. When the Edb.log file fills
up, an Edbtemp.log file is opened
The original Edb.log file is renamed to Edb00001.log, and Edbtemp.log isrenamed to Edb.log file, and the process starts over again
ESENT (Server Database Storage Engine) uses circular logging
Excess log files are deleted after they have been committed. You may see
more than one Edbxxxxx.log file if a busy domain controller has many updates
pending
Active Directory support files and their functions
7/28/2019 Activ Directory Presentation cum directorui.ppt
114/156
Edb.chk
This is a checkpoint file
It is used by the transaction logging system to mark the point at which updates
are transferred from the log files to Ntds.dit
As transactions are committed, the checkpoint moves forward in the Edb.chk
file
If the system terminates abnormally, the pointer tells the system how far along
a given set of commits had progressed before the termination
Temp.edb. This is a scratch pad used to store information about in-progress
transactions and to hold pages pulled out of Ntds.dit during compaction.
Schema.ini. This file is used to initialize the Ntds.dit during the initial promotion of a
domain controller. It is not used after that has been accomplished.
7/28/2019 Activ Directory Presentation cum directorui.ppt
115/156
7/28/2019 Activ Directory Presentation cum directorui.ppt
116/156
Moving and Defragmenting the Active Directory Database
7/28/2019 Activ Directory Presentation cum directorui.ppt
117/156
Why move database and log files?
You move a database to a new location when you defragment the database
Moving the database does not delete the original database, so you can use
the original database if the defragmented database does not work or becomes
corrupted
Also, if your disk space is limited, you can add another hard disk drive andmove the database to the new hard disk drive
Additionally, you move database files for hardware maintenance
If the disk on which the files are stored requires upgrading or maintenance,
you can move the files to another location temporarily or permanently
Backing Up Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
118/156
Backing up is essential to maintaining the Active Directory database
You can back up Active Directory by using the graphical user interface (GUI) andcommand-line tools that are provided in the Windows Server 2003 family
You back up the system state data of domain controllers frequently so that you
have the most current data to restore
By establishing a regularly scheduled backup routine, you have a better chance ofrecovering data when necessary
To ensure a good backup, which includes at least the system state data and
contents of the system disk, you must be aware of the tombstone lifetime
By default, the tombstone is 60 days; any backup older than 60 days is not a goodbackup
Backing Up Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
119/156
You should plan to back up at least two domain controllers in each domain, one of
which is an operations master role holder
For each domain, you should maintain at least one backup to enable authoritative
restores of the data when necessary
Components of the System State Data
7/28/2019 Activ Directory Presentation cum directorui.ppt
120/156
Active Directory (only on domain controllers). System state data does not contain
Active Directory unless the server on which you are backing up the system state data
is a domain controller
The SYSVOL shared folder (only on domain controllers). The SYSVOL folder is a
shared folder that contains Group Policy templates and logon scripts
The registry is a database repository for information about the computers
configuration
The system start-up files are required during the initial start-up phase of Windows
Server 2003. These files include the boot and system files that are under Windows file
protection and are used by Windows to load, configure, and run the operating system
The COM+ Class Registration database. The class registration is a database ofinformation about Component Services applications.
7/28/2019 Activ Directory Presentation cum directorui.ppt
121/156
How to Back Up Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
122/156
To perform a backup procedure, you must be a member of the Administrators or
Backup Operators group on the local computer, or you must have been delegated the
appropriate authority
If the computer is joined to a domain, members of the Domain Admins group might
be able to perform this procedure
You can only back up the system state data on a local computer
You cannot back up the system state data on a remote computer
Restoring Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
123/156
The Windows Server 2003 family enables you to restore the Active Directory
database if it becomes corrupted or is destroyed because of hardware or software
failures
You also must restore the Active Directory database when objects in Active
Directory are changed or deleted
You can restore replicated data on a domain controller in several ways
You can reinstall the domain controller, and then let the normal replication
process repopulate the new domain controller with data from its replicas
You can use the Backup Utility Wizard to restore replicated data from backup
media without reinstalling the operating system or reconfiguring the domain
controller
Restoring Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
124/156
There are three methods for restoring Active Directory from backup media
The Primary Restore Method
The Normal (Nonauthoritative) Restore Method
The Authoritative Restore Method
Restoring Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
125/156
Primary restore:
A primary restore rebuilds the first domain controller in a domain when there isno other way to rebuild the domain
A primary restore should only be performed when all the domain controllers in
the domain are lost, and you are trying to rebuild the domain from the backup
Normal (nonauthoritative) restore
A nonauthoritative restore reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process
A normal restore should only be performed when you want to restore a singledomain controller to a previously known good state
Restoring Active Directory
7/28/2019 Activ Directory Presentation cum directorui.ppt
126/156
Authoritative restore
An authoritative restore is performed in tandem with a normal restore
An authoritative restore marks specific data as current and prevents that data
from being overwritten by replication
The authoritative data is then replicated throughout the domain
Perform an authoritative restore to restore individual objects in a domain that
has multiple domain controllers
When you perform an authoritative restore, all changes to the restore object
that occurred after the backup are lost
7/28/2019 Activ Directory Presentation cum directorui.ppt
127/156
Whats a Group Policy?
7/28/2019 Activ Directory Presentation cum directorui.ppt
128/156
Like files and folder, like users and groups, like domains and organizational units,
a Group Policy Object (GPO) is just another software object, typically stored in the
Active Directory database
This software object is made up of a collection of settings that can potentially affect
almost any aspect of user and computer configuration
Group Policies can then be linked to the container objects in Active Directory:
sites, domains, and organizational units
The Group Policies linked will then configure settings that, by default, affect all
objects in the container
They can be used to determine what Start Menu options are available, what the
background of the desktop will be, what programs will be available
The Local Group Policy Object
7/28/2019 Activ Directory Presentation cum directorui.ppt
129/156