Active Directory Database Service Reasons to deploy Active Directory Security Central management Single sign-on access o Authentication:

tion: verifies your identity - [access token (SID)] o Authorization verifies that an authenticated user has permission to access a resource or perform an action. (DACL) Scalability Common management interface Users easier access to resources Active directory roles Active directory domain services Active Directory federation services Active Directory certificate services Active Directory LDAP Active Directory rights management service Active directory components: Logical components Schema Domains Domains trees Trusts Forests Organizational units Physical components Data store Domain controllers (including RODCs) Global catalogs sites

Logical components: o Schema defines every type of object that can be stored in Active Directory; enforcing rules regarding the objects that you can create. o Class object defines what new objects can be created o Attribute object what information can be stored for each object class o Domain boundary: administrative, replication, authentication and authorization. o Domain trees hierarchy of domains contiguous namespace with parent domain o Forests- collection of one or more domain trees. Share a common schema., configuration partition, global catalog, trust between all domain in the forest. Share the enterprise and the schema admins groups.

o Organizational Units (OUs) containers for users, groups, computers, other OUs. Also used to assign group policy Physical components: o Data store: (ntds.dit, NTDS folder) o Active Directory partitions: domain, configuration, schema, application o Domain partition (replicated within the domain) o Configuration partition (replicated in the forest) o Schema partition (replicated in the forest) o Application partition (customized) o o o Domain controllers (holds a copy of the AD for the domain, provides authentication and authorization services, replicate AD changes to other DCs, allow administrative access to manage network resources. o Global catalogs full copy of the domain partition for the domain where it resides and partial information from the objects in the other domains. Provides authentication and authorization services, replicate AD changes to other DCs, allow administrative access to manage network resources. o Sites network segment(s) of well connected servers and workstation. Associated with IP subnets. Use to manage replication traffic and client logon traffic. Applications like Exchange, Distributed file system. Requirements to install Active Directory DS. o Winser 2000,2003,2008: standard, enterprise, data center o At least 250MB on a NTFS partition. o TCP/IP protocol o DNS service with dynamic updates. o Local admin permission to install the first DC. o Domain admin permission to install an additional DC in the domain o Enterprise admin permission to add an additional domain in a forest First server 1. Install the Active Directory domain service role form server manager 2. run dcpromo from the command prompt 3. install first domain controller in first domain with DNS On the second server: 1. Install the DNS role from the server manager 2. configure this DNS server to forward name resolution request to the first server 3. Install the Active Directory domain service role from server manager

4. run dcpromo from the command prompt 5. add a domain controller to an existing domain 6. verify that the Active Directory database has been replicated. Options for second DNS2: o Stub zones o Secondary o Forwarder o Conditional forwarding

DCpromo add a replica Online Offline (backup) Server core Dcpromo /unattend:filename Active Directory Multimaster replication tested Active Directory functional levels Determine the Active Directory DS features available in a domain or forest Restrict which versions of windows can be DCs in a domain or forest Domain functional level / forest functional level o Windows 2000 native windows 2000 DCs ; o Windows server 2003 DCs winserver 2003 RODCs support Link-value replication replication at the attribute level Forest trusts Domain rename o Windows server 2008 DFS-R Fine-grained password policies Advanced encryption service Upgrading to windows server 2008 Active Directory DS. Current version Forest level Windows 2000/2003 Domain level Windows 2000 preparation adprep /forestprep (schema master)

adprep /domainprep /gpprep (infrastructure master)

Windows 2003

adprep /domainprep (infrastructure master)

Run - CD:\sources\adprep\adprep.exe Flexible single master operations (FSMO) Domain-wide operations o PDC emulator master Priority receiving password updates Use to provide the authoritative time for all other DCs Manage the GPO updates Domain master browser o Infrastructure master Keeps track of group membership from other domains o RID master Assigns blocks of IDs to other DCs in the domain Cannot return the role to the same DC after a seize Forest-wide operations o Schema master Allows you to make changes to the schema Regsvr32 schmmgmt.dll Cannot return the role to the same DC after a seize o Domain naming master Allows to add/remove domains in the forest Cannot return the role to the same DC after a seize Transferring roles Seizing the role o Ntdsutil Roles Connections Connect to server servername Quit Seize pdc Seize rid master Seize infrastructure master Seize naming master Seize schema master

Active Directory DS and DNS integration

DNS abc.com Abc.com internal.abc.com xyz.com active directory name space contoso.com AD objects DNS name space contoso.com DNS records

Active Directory needs DNS service (SRV) records Active Directory integrated zones: More secure (dynamic secure updates) Easier to manage Stored in the active directory database Dns replication is encrypted with Active Directory replication C:\windows\ntds\ntds.dit Multimaster replication advantage o Change the dns database in any read/write DC. DNS and SRV records are used when: A DC needs to replicate changes A client needs to logon to the network A user tries to change his/her password An exchange server needs to perform a directory lookup An administrator needs to access Active Directory Active directory integrated zones can be replicated to: All domain controllers within the domain All DCs with DNS service in the domain All DCs with DNS service in the forest ALL DCs with DNS service and the same customized enlisted application partition o Dnscmd /createdirectorypartition abc.com o Dnscmd /enumdirectorypartitions o Dnscmd servername.domainname.com /enlistdirectorypartition abc.com Demoting a Domain controller Review FSMO Review global catalog configuration Run dcpromo

Read-only domain controllers RODCs host read-only partitions of the Active Directory database. Only accept replicated changes from read/write DCs Never initiates replication Can not hold any FSMO role, but it can be a global catalog. Cannot be the 1st DC in a domain Read-only DCs provide: Unidirectional replication Credential caching Administrative role separation Read-only DNS RODC filtered attribute set Preparing to install a RODC Can be installed only on windows server 2008 Forest functional level must be at least windows server 2003 A windows server 2008 DC must be running to replicate the domain partition. If there are windows server 2003 DCs run adprep /rodcprep (schema master) If the RODC will be a Global Catalog run adprep /domainprep in all domains in the forest. (just 1 DC per domain infrastructure master) Delegating the RODC installation: Pre-create the RODC account in the domain controllers Organizational unit (OU) Assign a user or group with permission to install the RODC On the RODC run dcpromo /UseExisting Account:attach Password replication policies Determines how the RODC performs credential caching for authenticated users By default, the RODC does not cache any user or computer credentials Options for password policy configuration: No credential cache Enable credential caching on a RODC for specific accounts Add users or computers to the domain RODC password allowed group so credentials are cached on all RODCs Delegating local administrator role once the RODC is installed Logon as administrator to the RODC On the command prompt: o Dsmgmt Local roles Add <Username> administrators

Types of Active Directory objects: o User accounts o Computer accounts o Group accounts o Organizational units (OU) o Printers o Shared folders

Organizational units: Geographic Departments/divisions Projects/business units Delegation Apply group Policy Search Active Directory Vista, XP, or server Group types: Security to assign permissions (can be used as a mailing list Distribution mailing list only Group scopes Domain local groups membership *Universal or global groups from any domain *Domain local group from the same domain User accounts from any domain Accounts from the same domain only From anywhere From anywhere Where can be used to assign permissions? In the same domain

Global groups Universal Local group Special groups Anonymous Authenticated users Local system Network Interactive Everyone Service Dialup

Anywhere in the forest To anywhere Local computer

More

Global groups Finance HR Sales Marketing User account global group assigns permission to GG [AG/ACL] User account global group DLG permission to the DLG [AG/DLG/ACL] Key distribution center (Kerberos server) Ticket granting ticket (TGT) Security identifier (SID) Security identifiers (SID group) Session ticket Delegating administrative tasks RSAT for windows vista SP1 Trust relationships Allow security principles to traverse their credentials between domains. They are necessary to allow resource access across domains Users are authenticated in their own domains, but they can use their credentials in other domains. Trust configuration and settings Transitive Trust direction o One-way incoming (trusted) o One-way outgoing (trusting) o Two-way Active directory Trusts Type Parent/child trust Tree/root trust External trust Forest trust Transitivity yes yes Non-transitive Partially transitive Purpose Automatic child domain is added Automatic domain tree is added to forest For domains in different forests Enable authentication/access

Shortcut trust realm

Partially transitive Admin choice

between forests Reduce the Kerberos authentication hops Trust an external Kerberos realm

Domain controllers configuration before adding a domain tree to a forest NYC-DC1 (DC on the root domain) Configure DNS forwarder Configure DNS zone replication across the forest NYC-DC2 (Server that will become the first DC in the new domain tree) Install DNS (no zone is needed) Configure DNS forwarder Configure DNS client Run DCPROMO (option to add domain tree)

Forest trusts preparation work Must be established at the root domain of each forest Both forests must be at least at windows server 2003 functional level Ensure DNS service is available between the forests before trying to set up the trusts Forest trust authentication options Selective Authentication o Limited which computers can be access by users from a trusted forest/domain. Forest-wide authentication o Users from a trusted domain/forest can access any computers to which permission are assign for the authenticated users or everyone group.
Whenever you create a trust, a new trusted domain object (TDO) is created and stored in the System container in the trusts domain. The TDO stores information about the trust such as the trust transitivity and type. When the user from the trusted domain attempts to access the resource in the other domain, the users computer first contacts the domain controller in its domain to get authentication to

The trust Path

the resource. If the resource is not in the users domain, the domain controller uses the trust relationship with its parent and refers the users computer to a domain controller in its parent domain. This attempt to locate a resource continues up the trust hierarchy, possibly to the forest root domain, and down the trust hierarchy until contact occurs with a domain controller in the domain where the resource is located. Kerberos checks into the TDO to verify trust relationships between the domains.

Active Directory Sites Sites are created with computers in a well-connected network
Sites are used to control replication traffic, logon traffic, and service localization, including client computer requests to the GCS. Only DCs are directly administered on Active Directory sites. Member servers and workstations will be associated to sites by their IP address configuration.

Intra-site replication Replication updates are not compressed

Domain controllers notify replication partners when updates occurred

For normal updates, the change notification happens 15 seconds after the change is applied

Notification for security related changes are sent immediately The replication partner pulls the changes using a RPC connection.