Best of Active Directory Stuff
A Domain is a way to partition a network for security and administrative purposes.
When you create an Active Directory site, the Active Directory automatically assigns the role of bridgehead server to one domain controller. The bridgehead server sends and receives replication data from remote sites.
OUs can also serve as administrative and security boundaries. Different security standards can be placed
on OUs, including different group policies. Administratively, an OU can be delegated so that a certain administrator or group controls it.
With an OU, you can set security for a subset of an existing domain, have different administrators manage, and place different policies on the OU
Sites are not a part of the DNS namespace, but they are maintained for traffic and replication flow purposes.
When you define various sites within the Active Directory Sites and Services tool, you enable the Knowledge Consistency Checker (KCC) and other Active Directory services to know that your enterprise contains remote sites. The KCC also knows that those sites are connected by WAN communication links or site links. When you define information about those site links, then the Active Directory can make decisions about how to best use the bandwidth available.
Global catalog servers contain a full replica of Active Directory objects within their domain and a partial replica of Active Directory objects in other domains in the forest.
User principal name (UPN) suffixes are the names of the current domain and the root domain.
A site is physical grouping of computers based on TCP/IP connectivity, and a domain is a logical grouping of users, computers, and other Active Directory objects based on administrative and security needs.
The DNS namespace is used on the Internet while the Active Directory namespace is used for private networks
If your site uses a firewall, your proxy server must be designated as the bridgehead server for the replication traffic to flow through the firewall.
The Active Directory Sizer is a tool that gathers information from you about your network and your computers and the gives you a report that estimates the hardware you will need on your computers to meet the workload demands of your environment.
A primary tool you would want to consider using is the Active Directory Migration Tool (ADMT).
While I’m on the subject of connecting and synchronizing with the Active Directory, I should mention that Windows 2000 includes an Active Directory Connector (ADC) for connecting the Exchange Server 5.5 directory with the Active Directory.
FSMO -
Schema Master—the schema master is a domain controller that manages any changes that are made to the Active Directory schema. There is only one schema master in an Active Directory forest.
Domain Naming Master—the domain naming master domain controller manages the addition or removal of domains from the Active Directory forest. There can be only one domain naming master per forest.
Relative ID (RID) Master—the RID master manages the allocation of RIDs to domain controllers in the domain. The RID master manages object security IDs and RIDs for the domain. There is one RID master per domain in the forest.
PDC Emulator—The PDC Emulator role allows a Windows 2000 domain controller to act like a PDC to Windows NT servers and clients. Since NT is not aware of the peer-to-peer relationship, the PDC Emulator role allows the Windows 2000 domain controller to act like a PDC—it emulates the PDC role. This feature allows you to use Windows NT Servers and Windows 2000 Servers in the same domain (called mixed mode).
Infrastructure Master—the Infrastructure master role updates group-to-user references. In other words, the Infrastructure master keeps track of what users belong to what groups and in what domains. There is only one Infrastructure master in each domain in the forest.
Global Catalog—In addition to the standard master operation roles, there are also global catalog servers. Global catalog servers hold a partial replica for all objects in all domains. Global catalog servers are used for network logons by providing universal group membership information to a domain controller when a logon occurs. Global catalogs also assist user object queries.
The file system provides a way for your operating system to store data in a logical, organized manner. Without a file system, your computer would not be able to logically write and read data on a hard disk.
Convert drive letter: /fs:ntfs
Active Directory database and the log files, which is C:\WINNT\NTDS by default
Domain controllers’ SYSVOL folder contains Active Directory information.
Child domains are automatically connected to the root domain through a transitive trust relationship. Transitive trusts are two-way trust relationships and allow all domains in a tree to trust each other automatically. Because the trust is transitive, if Domain 1 trusts Domain 2 and Domain 2 trust Domain 3, then Domain 1 automatically trusts Domain 3 through the transitive nature of the trust.
Active Directory Trust Relationships
In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:
- Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.
- Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.
- Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.
- External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.
- Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.
- Forest trust: Forest trust can be created between two Active Directory forests.
Do not place the global catalog server role on the same domain controller that holds the Infrastructure master role. The Infrastructure master finds data that is out-of-date and then requests updated data from the global catalog server. As you can see, if both roles reside on the same domain controller, then the Infrastructure master will not be able to function because it will never find any out-of-date data since the global catalog is always up-to-date.
A site can contain several domains, or a single domain can span multiple sites.
Without site links, the Active Directory cannot replicate data between sites
The Active Directory can use RPC/IP (Remote Procedure Calls over Internet Protocol) or SMTP (Simple Mail Transport Protocol) to send replication data between sites. SMTP can be used for low-bandwidth links or links that use the Internet.
Within each site, the Active Directory automatically configures a domain controller to be a bridgehead server. The bridgehead server sends and receives replication data from remote sites.
Kerberos is an Internet standard authentication protocol, and it provides much faster service and more powerful security features than NTLM, the authentication protocol in Windows NT, does. Kerberos V5 is the default protocol among Windows computers (Server and Professional) within an Active Directory forest. Second, Windows 2000 supports Windows NT LAN Manager (NTLM) for backward compatibility. With NTLM, down level clients and servers, such as NT and 9x, can log on to a Windows 2000 Server.
NTLM is available only when a domain is operating in mixed mode—not native mode.
Finally, Windows 2000 also supports Secure Sockets Layer/Transport Layer Security (SSL/TLS), which is a protocol, used to authenticate Web clients to Web servers. Windows 2000 can use SSL/TLS to authenticate users on the Internet on a Windows 2000 Server, and this protocol is used in conjunction with Windows 2000’s certificate services
Best features of Kerberos V5 is the single logon for user accounts (user need only be authenticated one time by a domain controller in order to gain access to network wide resources)
If the user name and password are valid against the now encrypted timestamp, the domain controller makes two Kerberos V5 tickets using the user’s password as an encryption key and then sends the two tickets back to the local computer where the user initiated the logon attempt. The two tickets are the following:
✦ Logon Session Key—this ticket contains the permissions that enable the user to have a logon session in the domain.
✦ Ticket-Granting Ticket—this ticket is used to obtain additional access tickets so the user can access resources on the network.
Comma Separated Value (CSVDE), which you can use to add objects to the Active Directory using a text file that, can be imported to the Active Directory. However, you can only create accounts with CSVDE—not delete or change them. The second utility is Lightweight Directory Access Protocol Interchange Format (LDIFDE), which enables to you to create, delete, and manage bulk import accounts.
Logon Workstations uses the NetBIOS protocol, so when you enter the computer name, use the NetBIOS name and not the full DNS name for the computer.
Active Directory is built on three different security components
1. Security Principals—Security Principals are users, groups, or computers.
2. Security Identifiers (SID)—A SID is a unique number that identifies a user, group, or computer account.
3. Security Descriptor—A Security Descriptor describes the permissions that have been assigned for an object.
A Windows 2000 domain controller, System State Data contains the following:
✦ Registry
✦ COM+ Class Registration database
✦ System boot files
✦ Active Directory Services database
✦ SYSVOL directory
You can back up System State Data only on your local server. You cannot backup System State Data on a remote computer.
The Active Directory is based on the Extensible Storage Engine (ESE) database and is considered a fault-tolerant, transaction-based database. This feature enables the Active Directory to totally manage and track its own data. There are two basic components of the Active Directory—the database file that contains all of the Active Directory objects and the transaction log files that provide the fault tolerance to the database.
Each domain controller contains the Active Directory database file, which is called Ntds.dit (directory information tree) and is found, by default, in system\NTDS directory.
The database file stores information in three different tables:
✦ Object table—Contains objects and object attributes.
✦ Link table—Contains links or relationship information between the objects and attributes in the Object table.
✦ Schema table—contains the definitions of all the possible objects that can be created in the Active Directory.
Aside from the actual database file and the transaction log files, there are three other files used by the Active Directory:
✦ Checkpoint files—Checkpoint files hold pointers to transactions that have already been written to the database file.
✦ Reserved log files—reserved log files are used as backups in the case of low disk space.
✦ Patch files—Patch files are used to manage data during an online backup.
The current transaction log file is named Edb.log and is stored in the same directory as the database file. The Edb.log file has a fixed size of about 10MB. When the Edb.log file fills to its capacity, a new log file is created and the old log file is renamed edbxxxxxx.log where xxxxxx is a hexadecimal character to indicate it is an old log file. Once all of the transactions in the old log file have been performed, the old transaction log is deleted.
Circular logging does not create new transaction log files, but rather overwrites the old one when it fills. In essence, it uses the same log file over and over by overwriting unneeded information. Circular logging enables the Active Directory to maintain fewer transaction logs, but for the best data recoverability, you should not use circular logging.
HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Paramters\CircularLogging
Enter a 1 to enable circular logging (0 to disable it).
The automatic cleanup process, called Garbage Collection, occurs every twelve hours. During Garbage Collection, old transaction logs are deleted, and unneeded objects are deleted from the Active Directory. The deletion of objects occurs by a process called tombstoning. Suppose you delete a printer object from the Active Directory. During Garbage Collection, the printer object is tagged with a tombstone, which is not visible to clients. Once an object is tombstoned, it appears as though it has been deleted, when in reality the tombstone is kept for a default period of 60 days, called the Tombstone Lifetime.
The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default).
A Ghost objects, also called phantom objects. Ghost objects are actually errors that occur within the database and occur when an object has been deleted, but some kind of error has prevented the object from actually being removed. You end up with a ghost object that appears in the directory although the object is not actually available.
Update Sequence Numbers (USNs). The Active Directory uses USNs, which are 64-bit numbers, in order to keep track of changes that occur to objects in the Active Directory. When an object is changed, its USN is updated so that all other domain controllers have an outdated USN for that object.
Intrasite replication is replication that occurs within an Active Directory site.
Intersite replication is replication that occurs between different Active Directory sites.
Replication partitions
Schema partition - contains objects and object attributes
Configuration partition - contains the physical structure of the Active
Directory, such as where sites are located, what domains are contained in what sites, and so forth.
Domain partition - replicates information about Active Directory objects to all domain controllers within the domain.
Active Directory replication uses a process called store and forward. This simply means that replication changes are not directly sent to every domain controller. Instead, changes made on one domain controller are replicated to that domain controller’s replication partners, who then send the replicated data to their replication partners, and so forth until the replicated data reaches all domain controllers. Fortunately for us, the Active Directory internally determines which domain controllers will be partners. This is accomplished through an automatic replication topology generation through the Windows 2000 Knowledge Consistency Checker (KCC) service. The KCC is built in to every Windows 2000 domain controller and runs every 15 minutes by default.
In a site, a complete replication cycle should take 15 minutes or less.
Intrasite replication uses Remote Procedure Calls (RPC) over Internet Protocol (IP). The RPC/IP communication within a site is considered synchronous. In other words, after a domain controller sends a request for Active Directory data replication to the originating domain controller, it waits for a reply before requesting data from any other originating domain controller.
Intersite replication supports synchronous RPC/IP (compressed). However, Intersite replication also supports Simple Mail Transport Protocol (SMTP) for directory replication. The major difference between using RPC/IP and SMTP is that RPC/IP is synchronous while SMTP is asynchronous, which simply means that a domain controller does not wait for a reply from an originating domain controller before making a replication request to another domain controller. SMTP is used for replication between the schema and configuration partitions (as well as the global catalog), but not for the domain partition.
Use SMTP when you have unreliable site links.
The Active Directory uses Pull Replication. This means that database changes are pulled from a source domain controller where the changes are made to direct replication partners.
The Active Directory avoids collisions first by attribute replication. For example, if one administrator changes the name of a user account while another changes the password, a collision does not occur because replication changes occur on an attribute level, not the entire object level.
Because of the loop, one domain controller could be sent the same replication traffic more than once. The Active Directory prevents this potential problem through a process called Propagation Dampening. Propagation dampening enables domain controllers to detect when replication traffic has already reached a domain controller. If the replication traffic has reached the domain controller, then the sending domain controller kills the replication traffic so that it is not sent twice to the receiving domain controllers.
The Up-to-date vector is a value that a domain controller maintains in order to track all originating updates that have been received. When a domain controller requests a pull change from another domain controller, it sends its Up-to-date vector.
The High Watermark vector is maintained on a domain controller to determine the latest change for a specific object that was received from the source domain controller. Like the Up-to-date vector, the domain controller sends its High Watermark vector to the source domain controller for examination. The High Watermark vector prevents the same object changes from being sent twice.
The major difference between the Up-to-date and High Watermark vectors is that the High Watermark vector maintains values for domain controllers from which it requests changes, while the Up-to-date vector is maintained for every domain controller that has ever issued an originating update.
Schema determines what objects can be stored in the database, how they are stored, and how they are defined.
Metadata, which means “data about data.” The metadata determines what an object is and how it is defined. In other words, the metadata knows that user accounts may have qualities of user name, password, physical address, phone number, and so forth—not qualities such as one-sided, staple, color, and sort.
Every object has attributes, and every object belongs to a class as well. Classes are also a part of the metadata that also help define objects.
Each object belongs to at least one class, and each class belongs to a specific category of classes, which are as follows:
✦ Structural—All directory objects belong to classes that are structural. This means that structural classes can have instances in the class, such as in the User class.
✦ Abstract—An abstract class is a template that is used to create new structural classes. Objects do not belong to abstract classes, but abstract classes do contain attributes they provide to other classes.
✦ Auxiliary—Auxiliary classes contain lists of attributes and help define structural and abstract classes.
There is also a special 88 class category that is used for backward compatibility for classes that do not fall under one of these three specifications. 88 classes were defined before the 1993 X.500 standards.
There is only one schema per Active Directory forest, so when you modify the schema, you modify it for your entire enterprise.
Active Directory Services Interface (ADSI) Editor is an Active Directory editor that enables you to add, move, and delete objects as well as view and manage attributes for objects. ADSI is also used to query the Active Directory and define query scopes.
IntelliMirror – Active Directory, Group Policy, Offline Files, Synchronization Manager, Disk Quotas, Roaming User Profiles, Windows Installer, Remote Installation Services.
Service Location Records (SRV) are DNS resource records that map Windows 2000 servers that run the DNS service. Each server maintains a list of SRV records for the domain or zone in which the server resides. SRV records are used to find domain controllers
Zone is a contiguous portion of the DNS namespace that is segmented for management purposes. Within that zone, there is a primary DNS server that holds the primary zone database file. All other servers are provided for load balancing and contain a copy of the primary zone database file called the secondary zone database file. The primary zone database file is the only writable version, so all updates are made to the primary zone database file and replicated to the secondary zone database files through a process called zone transfer.
An authoritative restore enables you to restore an Active Directory backup and to prevent the restored changes from being overwritten due to domain controller replication. In fact, an authoritative restore marks the restore job as authoritative and its data is replicated to other domain controllers, overwriting their existing data.
Use the NTDSUTIL command-line utility to perform an authoritative restore.
Synchronization Manager works with offline files to ensure that a cached copy of a file is synchronized with the server’s copy when the user reconnects to the network.
To test whether a domain controller is also a global catalog server:
- Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
- Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
- Open the Servers folder, and then click the domain controller.
- In the domain controller's folder, double-click NTDS Settings.
- On the Action menu, click Properties.
- On the General tab, view the Global Catalog check box to see if it is selected.
Comments
It’s really useful and you're simply certainly extremely knowledgeable in this region. You get opened my personal eye to various opinion of this subject matter together with intriguing and sound articles.
Also visit my web page: timolsen.com