Active Directory for Windows

Server
Sandeep Kapadane.

Index

Active Directory Introduction

Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.

Active Directory
Introduction

What is Active Directory ?

Active Directory is Microsoft's version of X.500

recommendations. It 's database and directory service ,
which maintains the relations ship between resources
and enable them to work together. It provide centralized
repository for user account information and directory
authentication , authorization and assignment of right
and permissions.
It store information in hierarchical tree like structure . It
depends on two Internet standard one is DNS and other
is LDAP. Information in Active directory can be queried
by using LDAP protocol and it use Kerberos V5 for
authentication.

Do I Need Active Directory

If I want to centrally manage access to resources

such as printers, users and group.
If I want to control user accounts from one
location.
If I have application that rely on Active
Directory.

Active Directory Basic

The Basic

X.500 Recommendations
Domain Naming System (DNS)
LDAP
Schema
Replication
Global catalog
Components of Active Directory

What is X.500 Recommendations

To address the needs of organizations, the Institute of

Electrical and Electronics Engineers (IEEE) developed
a set of recommendations that defined how a directory
service should address the needs of administrators and
efficiently allow management of network resources .
These recommendations, known as the X.500
recommendations

Domain Naming System (DNS)

Domain Naming System (DNS) is the

hierarchical naming and a domain name
resolution system used on Internet and windows
network for naming resolution.
It converts the domain name into its related IP
address.
Active Directory is Depends of DNS , both share
the same zone-naming conventions. If DSN
server fail it cause to fail active directory too
fail.

LDAP

LDAP is a directory access protocol , which is

used to exchange directory information from
server to clients or from server to server .
Port number for LDAP is 389.
It was initially used as front-end to X.500 , but
can also be used with Stand-alone and other
kinds of directory servers.

Schema

The Schema acts as the building blocks of Active

Directory. It holds all of the information needed
to created users, groups, computers, and so on
within Active Directory . The Schema defines
the classes of objects that are allowed within a
directory and attributes that are associated with
those objects. These must be consistent across
domain in order for security policies and access
rights to function correctly. It defines how each
attribute can be used and the properties
associated with the attribute.

Schema Attribute

To Standardize Active Directory , the Schema

defines the attributes that can be used when
creating objects. These attribute defined only
once and can be used for any object.
Defining the attribute once and using it for
multiple objects allows for a standardized
approach of defining objects,
E.g.. of attribute is name
Each attribute within the schema has to have a
unique OID (Object Identifier).
To be Continue...........

To be continue .............

These OID are registered and maintained by the

Internet Assigned Numbers Authority (IANA).
Once assigned , the OID Should not be used by
any other attribute.
New attributes will need to be assigned an OID .
If you are adding an attribute for use in object ,
you should register it with the IANA to safeguard
the attribute and to make sure that it does not
step on any other attributes. Registration is free
and as long as your OID is unique , you should
be issued an OID for your attribute .

Schema classes.

An object Class is a defined grouping of

attributes that make up a unique resource type.
One of the most common object class is the user
class. Use the user object class as the template
for a user account. When you create a user , the
attributes that are defined for the user object
class are used to define the new account.

Replication

Replication is Process of making a replica (a copy) of

something.
Replication is the automatic synchronization of data
that occurs among domain controllers.
Any changes to the user account are made on one of the
domain controllers and the sent to every other domain
controller within the domain this transfer of data is
called replication.
Replication of information can be burden on network to
reduce the replication burden on the network Active
Directory replicates only the attributes that have been
changed not the entire object.

Synchronization

Process of making two or more data storage

devices or programs (in the same of different
computers) having exactly the same information
at a given time.

Global Catalog

Global Catalog maintains indexes about

objects. It contains full information of the
objects in its own domain and partial
information of the objects in other domains.
Universal Group membership information will
be stored in global catalog servers and replicate
to all GC's in the forest.
Port number for Global Catalog is 3268

Component of Active
Directory

Component of Active Directory

There are two type of components

Logical Components
Domain
Tree

Forest

Organizational unit.

Physical Components

Site
Domain Controller.

Logical Component of
Active Directory

Domain

The Domain is the core unit of logical structure in

Active Directory. All Objects which share a common
directory database, trust relationship with other domain
and security policies is know as Domain.
Each domain stores information about the objects that
belong to that domain.
All Security polices and settings , such as
Administrative rights, security policies, and Access
Control Lists (ACL's), do not cross from one domain to
another,
Domain Administrator has full rights to set policies only
within domain they belong to.
Domains provide administrative boundaries for objects;
manage security for share resources and unit of
replication for objects.

Tree

Trees are collections of one or more domains

that allow global resource sharing. A tree may
consist of a Single domain or multiple domains
in a contiguous namespace.
Adding a domain to a tree becomes a child of the
tree root domain. Domain will be called parent
domain to which child domain is attached . A
child domain can also have its multiple child
domains. Child domain uses the name followed
by parent domain name and gets a unique
Domain Name System (DNS) .

Forest

A Forest is a collection of multiple trees that share a

common global catalog, directory schema, logical
structure, and directory configuration.
The Primary security boundary for Active Directory is
Forest, Which contain domain trees
Forests allow organizations to group their divisions
which use different naming scheme, and may need to
operate independently . But as an organization they
want to communicate with the entire organization via
transitive trusts, and share the same schema and
configuration container.
The first domain you create in the forest is called the
forest root domain.

Organizational unit

It is a logical component of Active Directory and

is used to organize users, groups and computers.

Physical Component of
Active Directory

Site

Site Contain Active Directory resources that are

all connected by reliable high-speed bandwidth a
minimum of 10 MB. Site membership is used in
the logon process as a computer attempts to
locate domain controllers in its own site first, in
replication , in accessing global catalogues and
in exchange server messaging infrastructure

Domain Controller

Domain Controller is a single computer or

Server that hold and controls Active Directory
database.
It is the physical components of Active Directory
and is used to control and manage the domains
in a organization's forest.

Active Directory
Hierarchical Structure

Active Directory Hierarchical

Structure
Forest root domain

Domain Tree

Forest
Domain Tree

Domain Tree

Active Directory Hierarchical

Structure

The Primary security boundary for Active

Directory is Forest, Which contain domain trees.
There can be one or more domain trees in a forest
though the first domain is designated as the forest
root domain . A domain tree can contain multiple
domains that share a common namespace. And
regardless of the number of domain trees in a
forest, there is centralized administration at the
forest level with permissions to all domain trees.
Each forest has an Enterprise Admins group as
well as
to be continue......

To to continue........

Schema Admins group. Member of there groups

have authority over all the domain trees in the
forest .
All domain controller within the forest share the
same schema.
Each domain has a domain Admin group and
administrators .
In a parent domain automatically have
administrative permissions to all child domains
through automatic transitive trust relationships.
These type of structure is know as hierarchical
structure.

Active Directory
Database

Active Directory Database

Active Directory stores its data in a file name

ntds.dit.
In addition to using the database file , Active
Directory uses log file that store information
prior to committing it to database that are
edb.log, edb.chk , res1.log, res2.log. By default ,
this file is located in %systemroot%/NTDS
folder.
During AD installation , Dcpromo lets you
specify alternative locations for these log files
and database files or you can use ntdsutil to
move database to alternate location after
installation.

Move database to other location

Start computer in directory service restore mode

and log on with directory service restore mode
Administrator account and open command
prompt. Then type
Ntdstuil
Ntdstui (press enter)

Files (press enter)

Move DB to <new directory location path>

(press enter.)

Move log file to other location

Start computer in directory service restore mode

and log on with directory service restore mode
Administrator account and open command
prompt. Then type
Ntdstuil
Ntdstui (press enter)

Files (press enter)

Move logs to <new directory location path>

(press enter.)

Flexible Single Master

Operations
(FSMO Role)

What Are the FSMO Roles?

FSMO roles are specialized services within

Active Directory that should be performed only
by a single domain controller.
There are five roles make up the FSMO
(Flexible Single Master Operations) :

Schema Maser.
Domain Naming Master.
Infrastructure Master.
Relative Identifier (RID )Master.
Primary Domain Controller (PDC) Emulator.

All five of these roles coexist on one domain

controller , or you can move them so that they all
run on their own independent domain controller.

FSMO Role:- Schema Master

The Schema master domain controller controls
all updates and modifications to the schema .
Once the schema update is complete, it is
replicated from the schema to all other DC in the
directory.

To update the schema of a forest, you must have

access to the schema master

There can be only one schema master is the

whole forest.

To see all FSMO role run the command

Netdom query /domain:<domain>

FSMO Role:- Domain Naming

Master

The Domain naming master domain controls the

addition or removal of domains in the forest.
There can be only one domain naming master in
the whole forest.

FSMO Role:- Infrastructure Master

The Infrastructure Master Domain Controller

responsible for updating an object's SID and
distinguished name in a cross-domain.
There can be only one domain controller acting
as the infrastructure master in each domain.
The infrastructure master (IM) role should be
held by a domain controller that is not a global
catalog Server . IF the infrastructure master runs
on a Global catalog server it will stop updating
object information because it does not contain
any references to objects that it does not hold.
This is because a global catalog server holds
To be continue ..........

To be continue ......

A partial replica of every object in the forest . As

a result, cross domain object references in that
domain will not be updated and a warning to the
effect will be logged on that DC event log.
If all domain controllers in domain also host the
global catalog, all the domain controllers have
the current data and it is not important which
domain controller holds the infrastructure master
role.

FSMO Role:- RID Master

The RID master is responsible for processing

RID pool requests from all domain controllers in
a particular domain.
When DC creates a security principle object such
as user or group it attaches a unique security ID
(SID) to object. This SID consists of domain SID
(The same for all SID's created in a domain) ,
and a relative ID (RID) that is unique for each
security principal SID created in a domain.
Each DC in a domain is allocated a pool of RID
that it is allowed to assign to the security
principal it creates.
To be continue....

To be continue ...

When a DC's allocated RID pool falls below a

threshold , that DC issues a request for
additional RIDs to the Domain's RID Master.
The Domain RID master responds to request by
retrieving RIDs from the domains unallocated
RID Pool and assigns them to the pool of the
requesting DC.
At any one time there can be only one domain
controller acting as RID master in the domain.

FSMO Role:- PDC Emulator

The PDC emulator is necessary to synchronize

time in an enterprise windows.
Windows 2000/2003 includes the W32Time time
service that is required by the Kerberos
authentication protocol.
All windows 2000/2003 base computes within an
enterprise use a common time . The purpose of
the time service is to ensure that the windows
Time service uses a hierarchical relationship that
controls authority and does not permit loops to
ensure appropriate common time usage.
The PDC emulator of a domain is authoritative
for the domain the PDC emulator at the root of
the forest become authoritative for the enterprise.
And should be configured to gather the time from

All pdc fsmo role holders follow the hierarchy of

domains in selection on their in bound time
partner.
The PDC emulator role holder retains the
following function.

Password changes performed by other DC's in the

domain are replicated preferentially to the PDC
emulator.
Authentication failures that occur at the given DC in
a domain because of an incorrect password are
forwarded to the PDC emulator before a bad
password failure message is reported to the user.
Account lockout is processed on PDC emulator
Editing or creation of group policy objects (GPO) is
always done from the GPO copy found in the PDC
emulator's SYSVOL share, unless configured not to
do so by the administer.

An any one time there can be only one DC acting

as PDC emulator master in each domain in the
forest.

Viewing FSMO holder

Command to check all fsmo Role holder in

domain domain.local
Netdom query fsmo /domain:domain.local

Using Dcdiag:
Dcdiag /test:knowsofroleholders /v

You can find individual role holders with the

dsquery command:

To find the Schema master

dsquery server -hasfsmo schema
To find the Domain naming master
dsquery server -hasfsmo name
To find the infrasturcture master
dsquery server -hasfsmo infr
To find the RID Master
dsquery server -hasfsmo rid
To find the PDC Emulator
dsquery server -hasfsmo pdc

Active Directory
Services

Active Directory services

Distributed File System

Domain name System (DNS) server
File Replication
Intersite messaging
Kerberos key Distribution Center
Remote Procedure Call (RPC) Locator
Active Directory Domain Service (ADDS)
Active Directory Lightweight Directory Services
Active Directory Federation Services
Active Directory Right management Service
Active Directory Certificate Service

Active Directory services

Distributed File System :- Manages logical

volumes across local and wide are network
Domain name System (DNS) server:Responds to DNS queries and dynamic DNS
Requests.
File Replication :- Allows files to be copied and
maintained across multiple Servers.
Intersite messaging:- Allows Messages to be
exchanged between windows servers.
Kerberos key Distribution Center:- Enables
user to log onto domain using the Kerberos
authentication protocol

Active Directory services

Remote Procedure Call (RPC) Locator:- Enables

RPC clients using RpcNS*APIs to locate RPC Servers.
Active Directory Domain Service (ADDS):- Stores all
information about resources on the network , such as
user, computer and other devices.
Active Directory Lightweight Directory Services:Allows administers to create small version of Active
Directory that run as non-operating system services.
Active Directory Federation Services:- Provides Web
single Sign-on (SSO) technologies to authenticate users
to multiple web applications in a single session.

To be continue ...

Active Directory services

Active Directory Right management Service:- Protect

and secure information from unauthorized use online
and offline, inside and outside of the environment.
Active Directory Certificate Service :- Allows the
mapping of users and resources to private key to help
secure identity in public key infrastructure PKI base
environment.

Finding highly privileged group

membership

You can view membership into highly privileged

domain group using net.ext utility at command
prompt.
net.ext group <domain-group-name> /DOMAIN

For eg to view membership in Domain Admins

Group command is like :
net.exe group Domain Admins /Domain

Finding users that have not

logged on since last month
You can find such account in your organization's
domain by using net.exe command

net.exe user <username> /Domain

It return the domain account information about

the user such as whaen user's password was last
set , when the user's current password expires
and when the user last logged on.
net.exe user Testuser /Domain

OR

net.exe user Testuser /Domain | findstr Last logon

SOME USEFULL UTILITY

Repadmin
NetDiag
DCDiag
DNSCMD
DNSLint
Account lockout and management tool.

Repadmin

the replication diagnostic tool more commonly

known by its short name repadmin, can help to
diagnose Active Directory replication problem
between Domain Controllers
Its Verify replication consistency between
replication partners , monitor replication status ,
display replication metadata, and force
replication events and topology recalculation.
Using this tool administrators can look at the
replication topology as seen from the point of
view of each domain controller.
You can also use repadmin to force replication
between domain controller or to manually create
a replication topology.

Netgiag

Check end to end network connectivity and

distributed services functions.
The command line tool can be used to help
diagnose and isolate connectivity issues in your
network. It does this by performing a number of
tests on the system and displaying network and
configuration information

DCDiag
DCDiag is a command line utility that will run
diagnostic test s against the domain controller. It
runs several tests , and output can span many
screen.

If you want to perform specific tests against the

domain controller, use the /test: switch for instance.
If you want to make sure that the replication
topology is fully interconnected issue the following
command
Dcdiag
/test:topology

To test that replication is functioning properly; issue

the command
Dcdiag /test:replications
To view the status of global catalog replication use the
command
dcdiag /v /s:domain_controller_name | find %

DNSCMD

This command line tool is found in the support

tools folder of the windows server CD and
enable you to create , modify , and delete
resource records and zones.
If you want to view the DNS information and
statistics of server type

Dnscmd <Sever name > /info

other useful switches with dnscmd are as follows

/Zoneinfo : this will display information about the
target zone.
/DirectoryPartitioninfo : this command will display the
directory partition information for target partition.

DNSLint

This is a command line utility for windows server 2003

and higher and is located in the support tools folder of
the windows server cd .
It can be used to check for and verify DNS records and
server functionality and to generate a report in HTML

dnsline /d domain_name | /ad [LDAP_IP_Address]

| /ql input_file [/c] A [smtp,pop,imap] [/no_open]
[/r report_name] [/t] [/test_tcp] A[/s
DNS_IP_address] [/v] [/y]
eg:dnsline /AD

When using DNSLint you must specify one of

three switches - /d, /ql , or /ad
/d : Diagnoses problem , /ql : verifies a user defined set of
DNS records , /ad : verifies DNS records specifically
used for active directory replication

Account Lockout and

Management Tool

The acctinfo.dll file is actuall part of the Account

Lockout and management tools you can download
from Microsoft.
Acctinfo.dll includes an additional property page for
the user-account properties. This additional property
page will allow you to determine when the account's
password was set, when the password expires, when
the user last logged on or off the domain as well as
other lockout information.
LockoutStatus.exe display information concerning a
locked out account. Use this tool to determine which
computer were involved in the lockout by the
account and when the lockout occurred .

Reference

Google
Mastering Active Directory for windows server
2008 by john A.Price
Microsoft press Exchange server 2003

THE END