Active Directory Basic introduction
Active Directory is Microsoft Network Operating system (NOS). AD was introduced with Windows 2000 server and evolved since. AD is a database that keeps track of all the users and groups, computers and printers, and application and services. AD is a centralized and standardized system that automates network management of user data, security, and distributed resources. AD structure can match the structure of your organization and could be available from one point.
LDAP (Lightweight Directory Access Protocol)
LDAP is a directory service protocol that runs directly over TCP/IP and can also run over UDP. LDAP is based on a client-server model and the core protocol supported by Active Directory, which means that LDAP is the only wire protocol that is supported by AD. LDAP is the preferred and most common way of interacting with AD. The LDAP API provides access to the LDAP protocol, and ADSI is the COM interface to AD that uses LDAP as the protocol.
LDAP is a wire protocol, which means that it manages the encapsulation and sending of requests between a client and server.
LDAP enables clients to query, create, update and delete information stored in a directory service over a TCP connection through the TCP default port 389. LDAP V3 is an industry standard that can be used with any directory service.
Objects in Active Directory
Objects stored within Active Directory are presented to the user in a hierarchical fashion similar to the way data is stored in a file system. There are two types of objects: containers and non-containers (also known as leaf nodes). Each container may contain other containers or non container objects. Although the data in AD is presented hierarchically, it is actually stored in a flat database rows and columns. The directory information tree (Ntds.dit) file is an Extensible Storage Engine (ESE). ESE is a JET technology. Two copies of Ntds.dit are present in separate locations on a given domain controller.
%SystemRoot%\NTDS\Ntds.dit : This file stores the database that is in use on the domain controller. It contains the values for the domain and a replica of the values for the forest.
%SystemRoot%\System32\Ntds.dit : This file is the distribution copy of the default directory that is used when you promote a Windows server to a domain controller. During the promotion process, Ntds.dit is copied from the %SystemRoot\System32 directory into the %SystemRoot\NTDS directory. Active Directory is then started from this new copy of the file, and replication updates the file from other domain controllers.
The most common type of container in AD is an Organizational Unit (OU).
Uniquely Identifying Objects:
When you are potentially storing millions of objects in Active Directory, each object has to be uniquely locatable and identifiable. To that end, objects have a globally unique identifier (GUID) assigned to them by the system at creation. This 128-bit number is the Microsoft implementation of the universally unique identifier (UUID) concept from Digital Equipment Corporation. The object’s GUID stays with the object until it is deleted, regardless of whether it is renamed or moved within the directory information tree (DIT). The object’s GUID will also be preserved if you move an object between domains within a multi-domain forest.
A cross forest move of a security principal using a tool such as the Microsoft Active Directory Migration Tool (ADMT) will not preserve the object’s GUID.
Distinguished names:
Hierarchical paths in Active Directory are known as distinguished names and can be used to uniquely reference an object. Distinguished names are defined in the LDAP standard as a means of referring to any object in the directory.
Distinguished names for Active Directory objects are normally represented using the syntax and rules defined in the LDAP standards.
For example,
Frenchitguy.com
Dc=frenchitguy,dc=com
France.frenchitguy.com
Dc=france,dc=frenchitguy,dc=com
Dc stands for domain component and is used to specify domain or application partition objects.
A relative distinguished name (RDN) is the name used to uniquely reference an object within its parent container in the directory.
For example,
DN for the default Administrator account in the Users container in frenchitguy.com domain:
Cn=Administrator,cn=users,dc=frenchitguy,dc=com
RDN of the Administrator account:
Cn=Administrator
RDNs must always be unique within the container in which they exist. All RDNs use a prefix to indicate the class of the object that is being referred to. Any object class that does not have a specific letter code uses the default of cn, which stands for common name. Here are the most common attribute types amongst directory server implementations:
String Attribute type
DC domainComponent
CN commonName
OU organizationalUnitName
O organizationName
STREET streetAddress
L localityName
ST stateOrProvinceName
C countryName
UID userid
Domain
A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active Directory database. An active directory domain is made up of the following components:
- An X.500 based hierarchical structure of containers and objects. (X.500 is the most common directory management protocol. The X.500 model uses a hierarchical approach to object in the namespace. The namespace has a root at the top, with children coming off the root. Although Active Directory is based on X.500, the access mechanism uses LDAP)
- A DNS domain name as a unique identifier.
- A security service, which authenticates and authorizes any access to resources via accounts in the domain or trusts with other domains.
- Policies that dictate how functionality is restricted for users or machines within that domain.
Domain Tree
Domain tree is literally a series of domains connected together in a hierarchical fashion, all using a contiguous naming scheme.
Example;
Trees ease management and access to resources, as all the domains in a domain tree trust one another implicitly with transitive trusts.
Forest
An Active Directory forest is a collection of one or more domain trees. A forest shares a common Schema and Configuration container. As soon as you create a single domain, you have a forest. If you add any domains to the initial domain tree or add new domains trees, you still have one forest.
A forest is named after the first domain that is created, also known as the forest root domain. In active directory, you can never remove the forest root domain. Transitive trusts are automatically created when a new domain is added to a forest root domain.
The Global Catalog
The Global Catalog (GC) is used to perform forest wide searches. The Global Catalog is a catalog of all objects in a forest that contains a subset of attributes for each object. The GC can be accessed via LDAP over port 3268 or LDAP/SSL over port 3269. The Global Catalog is read only and cannot be updated directly. The attributes that are available in the Global Catalog are members of the partial attribute set (PAS).
Flexible Single Master Operator Roles (FSMO)
Even though Active Directory is a multimaster directory, there are situations in which only a single domain controller can perform certain actions. In this case, Active Directory nominates one server to act as the master of the situation. There are five such roles that need to take place on one server only.
Of the five roles, three exist for every domain, and two apply to the entire forest. The different FSMO roles are:
- Schema master (forest-wide)
The schema master role owner is the domain controller that is allowed to make updates to the schema. The default scheme master role owner is the first server to be promoted to a domain controller in the forest.
- Domain naming master (forest-wide)
The domain naming master role owner is the server that controls changes to the forest-wide namespace. This server adds and removes domains and is required to rename or move domains within a forest, as well as to authorize the creation of application partitions and the addition of their replicas.
- PDC emulator (domain-wide)
For backward-compatibility purposes, one Active Directory DC has to act as the Windows NT primary domain controller (PDC). The PDC emulator also has other important roles: for one, it attempts to maintain the latest password for any account. The PDC is also the target server of most Group Policy management tools. One other function of the PDC is that the PDC in each domain is the primary time source for the domain, and the PDC of the forest root domain is the primary time source for the entire forest.
- RID master (domain-wide)
A relative identifier (RID) master exists per domain. Every security principal in a domain has a security identifier (SID) that is comprised of several components, including a RID. The system uses the SID to uniquely identify that object for security permissions. The SID is given only to security enabled objects and is used only for security verification purposes. In a domain, the SIDs must be unique across the entire domain. As each DC can create security enabled objects, some mechanism has to exist so that two identical SIDs are never created. To keep conflicts from occurring, the RID master maintains a large pool of unique RID values. When a DC is added to the network, it is allocated a subset of 500 values from the RID pool for its own use. Whenever a DC needs to create a SID, it takes the next available value from its own RID pool to create the SID with a unique value. In this way, the RID master makes sure that all SIDs in a domain use unique RID values.
- Infrastructure master (domain-wide)
The infrastructure master is used to maintain references to objects in other domains, known as phantoms. If three users from domain B are members of a group in domain A, the infrastructure master on domain A is used to maintain references to the phantom domain B user members. The infrastructure master FSMO role owner is used to continually maintain the phantoms whenever the objects they refer to are changed or moved in the object’s domain. When an object in one domain references an object in another domain, it represents that reference by the GUID, the SID, and the DN of the object being referenced. The infrastructure master FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross domain object reference. The infrastructure master is also responsible for fixing up stale references from objects in its domain to objects in other domains. Stale means references to objects that have been moved or renamed so that the local copy of the remote object’s name is out of date. It does this by comparing its naming data with that of a Global Catalog server. The infrastructure master is additionally responsible for performing updates to the domain when upgrading to newer Windows server version. The command adprep /domainprep must be run on the infrastructure master.
FSMO roles can be transferred between domain controllers while both servers are available. There will be some situations in which a FSMO role owner becomes unavailable without the role previously being transferred. In this case, you have to use NTDSUTIL to force a transfer of the role to a server, known as seizing the role. When you seize a FSMO role, you should not bring the original role owner back online. Instead, you should perform a metadata cleanup and then rebuild the domain controller.
Active Directory Domain Services Functional Levels:
Functional levels determine the available Active Directory Domain Services domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.
You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows 2008, you can set the domain functional level only to Windows server 2008. In this case, the Windows 2000 native and Windows server 2003 domain functional level values are not available. In addition, all domains that you subsequently add to that forest have the Windows Server 2008 domain functional level by default. You can set the domain functional level to a value that is higher than the forest functional level. For example, if the forest functional level is Windows Server 2003, you can set the domain functional level to Windows server 2003 or higher.
| Domain functional level | Available features | Supported domain controller operating systems | Functional level number |
| Windows 2000 native | All of the AD features and the following directory features:
– Universal groups for both distribution and security groups. – Group nesting. – Group conversion, which allows conversion between security and distribution groups. – Security identifier (SID) history |
Windows server 2008 R2.
Windows Server 2008. Windows Server 2003. Windows 2000. |
0 |
| Windows Server 2003 | All features that are available at the Windows 2000 native plus the following:
– The domain management tool, Netdom.exe, which makes it possible for you to rename domain controllers. – Logon time stamp updates. – The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects. – The ability to redirect Users and Computers containers. – The ability for Authorization Manager to store its authorization policies in AD. – Constrained delegation. – Selective authentication. |
Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R2. Windows Server 2008. Windows Server 2003. |
2 |
| Windows Server 2008 | All of the features from the Windows Server 2003 level plus the following:
– Distributed File System (DFS) replication support for the Windows Server 2003 System Volume (SYSVOL). – Domain based DFS namespaces running in Windows Server 2008 Mode, which includes support for access based enumeration and increased scalability. – Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. – Last Interactive Logon Information – Fine grained password policies – Personal Virtual Desktops |
Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R2. Windows Server 2008. |
3 |
| Windows Server 2008 R2 | All features from the Windows Server 2008 domain level plus the following:
– Authentication mechanism assurance, which package information about the type of logon method that is used to authenticate domain users inside each user’s Kerberos token. – Automatic SPN management for services running on a particular computer under the context of a Managed Service Account when the name or DNS host name of the machine account changes. |
Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R. |
4 |
| Windows Server 2012 | All features from the Windows Server 2008 R2 domain level plus the following:
– The KDC support claims, compound authentication, and Kerberos armoring. |
Windows Server 2012 R2.
Windows Server 2012. |
5 |
| Windows Server 2012 R2 | All features from the Windows Server 2012 domain level plus the following:
– DC side protection for Protected Users. – Authentication Policies. – Authentication Policy Silos. |
Windows Server 2012 R2. |
| Forest functional level | Available features | Supported domain controllers | Functional level number |
| Windows 2000 | All of the default AD features are available. | Windows Server 2008 R2.
Windows Server 2008. Windows Server 2003. Windows 2000. |
0 |
| Windows Server 2003 | All of the default AD features and the following:
– Forest trust – Domain rename – Linked value replication. – The ability to deploy a read only domain controller (RODC). – Improved Knowledge Consistency Checker (KCC) algorithms and scalability. – The ability to create instances of the dynamic auxiliary class named dynamicObject in a domain directory partition. – The ability to convert an inetOrgPerson object instance into a User object instance, and to complete the conversion in the opposite direction. – The ability to create instances of new group types to support role based authorization. – Deactivation and redefinition of attributes and classes in the schema. – Domain based DFS namespaces running in Windows Server 2008 Mode, which includes support for access based enumeration and increased scalability. |
Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R2. Windows Server 2008. Windows Server 2003. |
2 |
| Windows Server 2008 | All of the features that are available at the Windows 2003 forest functional level. | Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R2. Windows Server 2008. |
3 |
| Windows Server 2008 R2 | All of the features that are available at the Windows Server 2003 forest functional level plus the following:
– Active directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while ADDS is running. |
Windows Server 2012 R2.
Windows Server 2012. Windows Server 2008 R2. |
4 |
| Windows Server 2012 | All of the features that are available at the Windows Server 2008 R2 forest functional level. | Windows Server 2012 R2.
Windows Server 2012 |
5 |
| Windows Server 2012 R2 | All of the features that are available at the Windows Server 2012 forest functional level. | Windows Server 2012 R2 |
Guideline to raising the domain or forest functional levels:
- You must be a member of the Domain Admins group to raise the domain functional level.
- You must be a member of the Enterprise Admins group to raise the forest functional level.
- You can raise the domain functional level on the PDC emulator only. The ADDS administrative tools that you use to raise the domain functional level automatically target the PDC emulator when you raise the domain functional level.
Active Directory Domains and Trust
Active Directory Users and Computers
- You can raise the forest functional level on the schema operations master only. Active Directory Domains and Trusts automatically targets the schema operations master when you raise the forest functional level.
- You can raise the functional level of a domain only if all the domain controllers in the domain run the version or versions of the Windows server that the new functional level supports.
- You can raise the functional level of a forest only if all domain controllers in the forest run the version or versions of Windows server that the new functional level supports.
- You cannot set the domain functional level to a value that is lower than the forest functional level, but you can set it to a value that is equal to or higher than the forest functional level.
Active Directory Groups:
Active Directory supports three group scopes: domain local, domain global, and universal. Each group scope can have two types: distribution and security.
If the type is distribution, the group’s SID is not added to a user’s security token during logon, so it cannot be used for Windows security purposes. Distribution group are used as a messaging list. Microsoft Exchange represents distribution lists with Active Directory distribution groups. Security groups, by contrast, are enumerated during logon, and the SIDs of any groups of which the user is a member are added to the user’s security token.
Global groups and domain local groups can contain users from the domain in which they are created. Universal group can contains users from the domain in which they are created and the forest. Universal and global groups can be used in access control lists (ACL) on any resources in the forest or in the trusting domains. Domain local groups can only be used in ACLs in the domain in which they are created.
Group nesting:
| Scope | Type | Domain local Distribution groups | Domain local Security groups | Domain global Distribution groups | Domain global Security groups | Universal Distribution groups | Universal Security groups |
| Domain local | Distribution groups | Yes | Yes | Yes | Yes | Yes | Yes |
| Domain local | Security groups | Yes | Yes | Yes | Yes | Yes | Yes |
| Domain global | Distribution groups | No | No | Yes | Yes | No | No |
| Domain global | Security groups | No | No | Yes | Yes | Yes | Yes |
| Universal | Distribution groups | No | No | Yes | Yes | Yes | Yes |
| Universal | Security groups | No | No | Yes | Yes | Yes | Yes |
Group membership across domains:
Note that while universal groups can contain members from different domains, those domains cannot span forests. All universal group members must be from the same forest.
Converting groups:
The conversion process cannot work if the existing group members would not be valid members of the new group type once the conversion has taken place.
- Security groups can be converted to distribution groups.
- Distribution groups can be converted to security groups.
- A domain local group can be converted to a universal group.
- A domain local group cannot be converted to a domain global group.
- A domain global group can be converted to a universal group.
- A domain global group cannot be converted to a domain local group.
- A universal group can be converted to a domain global group provided all members in the group are users from the domain in which the group existed.
- A universal group can be converted to a domain local group.
| Domain local | Domain global | Universal | |
| Domain local | N/A | No | Yes |
| Domain global | No | N/A | Yes |
| Universal | Yes | Yes | N/A |
Ok folks. This is a basic introduction to Windows Active Directory. Have fun.
Be the first to comment on "Active Directory Basic introduction"