Active Directory - Part 1

ACTIVE DIRECTORY

1. What is ADS?

 Active Directory is the directory service included in the Windows 2000 Server products. A directory service is a network service that identifies all resources on a network and makes them accessible to users and applications.

2. What are the benefits of ADS?

Ø  Centralized data store 

Ø   Scalability

Ø  Extensibility

Ø  Manageable

Ø  Integration with domain naming system

Ø  Policy based administration

Ø  Replication of information

Ø  Secure

Ø  Interoperability with other directory services.

3.FSMO in ADS?

              Active directory supports multi master replication of the active directory database between all domain controllers in the domain. However some changes are impractical to perform in multi master fashion. One or more domain controllers can be assigned to perform operations that are single master operations. Thus the operation master roles are assigned to domain controllers to perform single master operations. In any active directory forest,5 operation master roles must be assigned to one or more domain controllers. Some roles must appear in every forest.

Forest wide operation master roles

1. Schema master

 The domain controller assigned the schema master role controls all updates and modifications to the schema. At any time there can be only one schema master in the forest.

2. Domain naming master

      The domain controller holding the domain naming master roles controls the addition or removal of domains in the forest. There can be only one domain naming master in the entire forest.

Domain wide operation master roles

Every domain in the forest must have the following roles

1. Relative Identifier master

       The domain controller assigned the RID master role allocates sequences of relative ID’s to each of the various domain controllers in its domain. AT any time there can be only one RID master in each domain. When ever a domain controller creates a user, group or computer object, it assigns the object a unique security ID. The security ID consists of domain security ID and a relative ID that is unique for each security ID created in the domain.

2. Primary domain controller emulator

     If the domain contains computers operating without windows server 2003 client software or if it contains Windows NT BDC’ s, the domain controller assigned the PDC emulator role acts as Windows NT PDC. It processes password changes from clients and replicates updates to the BDC’ s. AT any time there can be only one domain controller act as PDC emulator in a domain.

3. Infrastructure master

   The domain controller assigned the infrastructure master role is responsible for  updating the group to user references whenever the members of the groups are renamed or changed .At any time there can be only one infrastructure master in the domain. When we rename or move a member of a group, the group might temporarily appear not to contain that member. The infrastructure master of the groups’ domain is responsible for updating the group so it knows the new name or location of the member. The infrastructure master distributes the updates via multi master replication.

4.What is active directory schema?

     The Active Directory schema defines objects that can be stored in Active Directory. The schema is a list of definitions that determines the kinds of objects and the type of information about those objects that can be stored in Active Directory. The schema contains two types of definition objects: schema class objects and schema attribute objects. Schema class objects describe the possible Active Directory objects that can be created. Each schema class is a collection of schema attribute objects. For each object class, the schema defines what attributes an instance of the class must have, what additional attributes it can have, and what object class can be a parent of the current object class. Every object in Active Directory is an instance of a schema class object.

Schema attribute objects define the schema class objects with which they are associated. Each schema attribute is defined only once and can be used in multiple schema classes. Because the schema definitions are themselves stored as objects in Active Directory, they can be administered in the same manner as the rest of the objects in Active Directory.

5.What are the functions of domain controller?

Domain controller is a computer running Windows 2000 Server that stores a replica of the domain directory (local domain database). Because a domain can contain one or more domain controllers, each domain controller in a domain has a complete replica of the domain's portion of the directory.

The functions of domain controllers include the following:

1. Each domain controller stores a complete copy of all Active Directory information for that domain, manages changes to that information, and replicates those changes to other domain controllers in the same domain.
2. Domain controllers in a domain automatically replicate all objects in the domain to each other.
3. Domain controllers immediately replicate certain important updates, such as the disabling of a user account.
4. Active Directory uses multi master replication, in which no one domain controller is the master domain controller. Instead, all domain controllers within a domain are peers, and each domain controller contains a copy of the directory database that can be written to.
5. Domain controllers detect collisions, which can occur when an attribute is modified on a domain controller before a change to the same attribute on another domain controller is completely propagated
6. Having more than one domain controller in a domain provides fault tolerance. If one domain controller is offline, another domain controller can provide all required functions, such as recording changes to Active Directory.
7. Domain controllers manage all aspects of user domain interaction, such as locating Active Directory objects and validating user logon attempts.

6.What is the difference between Forest Tree and Domain?

 

Domains

The core unit of logical structure in Active Directory is the domain. Grouping objects into one or more domains allows your network to reflect your company's organization. Domains share the following characteristics:

• All network objects exist within a domain, and each domain stores information only about the objects that it contains. Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is  more practical amount.
• A domain is a security boundary. Access control lists (ACLs) control access to domain objects. ACLs contain the permissions associated with objects that control which users can gain access to an object and what type of access users can gain

Trees

A tree is a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous namespace Trees have the following characteristics:

• Following DNS standards, the domain name of a child domain is the relative name of that child domain appended with the name of the parent domain.
• All domains within a single tree share a common schema, which is a formal definition of all object types that you can store in an Active Directory deployment.
• All domains within a single tree share a common Global Catalog, which is the central repository of information about objects in a tree.

Forests

A forest is a grouping or hierarchical arrangements of one or more domain trees that form a disjointed namespace Forests have the following characteristics:

• All trees in a forest share a common schema.
• Trees in a forest have different naming structures, according to their domains.
• All domains in a forest share a common Global Catalog.
• Domains in a forest operate independently, but the forest enables communication across the entire organization.

8. How to locate Active Directory objects?

Use Find option in active directory Users and Computers

Using Dsquerry command

Dsquerry is a command line tool that enables to find computers, groups, OU’s, sites, servers etc.

Eg:Dsquerry computer

Dsquerry  OU

Dsquerry  user OU=Marketing,Dc=Microsoft,DC=Com

      OU’s are not security principals .So we cannot assign permissions to OU’s

      Whoami is a command line tool that can be used to get the details about the currently logged in user.The whoami/all can be used to view the SID and group membership.

8.Where is the data of active directory stores?

                                     Installing active directory creates database and log files. The default location of the database and log file is %systemroot%\ntds (%system root% is typically C:/Windows). For best performance and fault tolerance we should keep database and log files in separate hard disks which are having NTFS file system.(Not must)Space required for active directory at the time of installation is 200 MB for database and 50 MB for log files. The database is stored as a file name Ntds.dit which contains Schema, Global Catalogue and Objects stored in the Active Directory. When the active directory is installed the NTDS.dit(New Technology Directory Services. Directory Information Tree

) is copied from % systemroot%system32 to the directory we mention at the time of installation.

Installation of active directory creates another shared folder. It stores public files that must be replicated to other domain controllers such as logon scripts and some of the GPO’s. The default location of the shared system volume is % system root % sysvol

9.What is system state data?

System state data constitutes system components and all distributed services that an active directory requires. Collectively these components and services are called system state data. It comprises.

Registry

COM+ Class registration database

System boot files

Files under Windows File Protection and

Certificate services databases

And if the server is a domain controller the system state data contains

Active directory and Sysvol directory.

10.What is the difference between Rights and permissions?

     Permissions control what users can do with a resource such as a folder, file, or printer. When you assign permissions, you allow users to gain access to a resource and you define the type of access that they have. For example, if several users need to read the same file, you can add their user accounts to a group and then give the group permission to read the file. Rights allow users to perform system tasks, such as changing the time on a computer and backing up or restoring files.

11.What are the three administrative consoles available with active directory?

Active directory domains and trusts

The active directory domains and trusts provide the interface to manage domains and manage trust relationship between forests and domains. Using active directory domains and trusts we can

Provide interoperability with other domains

Change the domain functional level

Change the forest functional level

Add and remove UPN Suffixes

Transfer the domain naming master operations master roles from one domain controller to another

Active directory sites and services

It is to provide information about the physical structure of the network by publishing the sites to active directory using active directory sites and services console. Active directory uses this information to determine how to replicate directory information and handle service requests

Active directory Users and Computers

It allows adding, modifying, deleting and organizing windows server 2003 user accounts, computer accounts, security and distribution groups and published resources in the organizations directory. It also allows managing domain controllers and OU’s

12.What is a global catalogue server?

Active Directory allows users and administrators to find objects (such as files, printers, or users) in their own domain. However, finding objects outside of the domain and across the enterprise requires a mechanism that allows the domains to act as one entity. A catalog service contains selected information about every object in all domains in the directory, which is useful in performing searches across an enterprise. The catalog service provided by Active Directory services is called the Global Catalog. It stores a full replica of all object attributes for its host domain and partial replica stores attributes most frequently used in search operations. (If a user is a member of a Domain Admin’s group he is able to log on to network even when the global catalogue is not available). The Global Catalog is the central repository of information about objects in a tree or forest,

It has two main functions

1) It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated

2) It enables finding directory information regardless of which domain in the forest actually contains the data.

3) It resolves UPN’s (User Principle Name) when the authenticating domain controller does not have knowledge of account.

The Universal Group membership caching feature allows a site that does not contain Global catalogue server to be configured to cache universal group membership for users who logon to domain controllers in the site. This feature allows a domain controller to process user logon requests without contacting the global catalogue server or when the global catalogue server is un available. This feature eliminates the need to deploy Global catalogue server in small offices.

It has the following advantages

• Fast user logon times
• No need of extra hardware
• Minimized network bandwidth usage

 13.What are Netdiag and DCdiag?

The network connectivity tester Netdiag is a command line diagnostic tool included with windows support tools. It helps to isolate networking and connectivity problems by performing a series of tests to determine the state of the network client. .It can fix simple DNS problems with /fix command.Dcdiag:-is domain controller diagnostic tool .It si a command line tool included with windows support tools. Dcdiag runs a series of tests to verify different functional areas of active directory

14. What are domain functional levels?

      Domain functional levels provide a way to enable domain wide active directory features within the network environment. Four functional levels are available

1. Windows 2000 mixed

   Windows 2000 mixed allows a windows 2003 domain controller to interact with domain controllers in the domain running Windows NT 4, Windows 2000 and Windows 2003

2. Windows 2000 Native

    Windows 2000 native allows domain controllers running 2003 to interact with domain controllers running 2000 or 2003 server or later

3. Windows server 2003 interim

It allows a domain controller running 2003 to interact with domain controllers running NT4 or 2003.It is an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after upgrade

4. Windows server 2003

It allows interact with other domain controllers running with 2003 server operating systems.

15. What is the forest functional level in AD?

It enables the way to enable forest wide active directory features within the forest wide network environment. The three functional levels available are

Windows 2000

Windows server 2003 interim

Windows server 2003

 16.What is domain namespace?

The domain namespace is the naming scheme that provides the hierarchical structure for the DNS database. Each node, referred to as a domain, represents a partition of the DNS database.

17.What is a user profile and different types of user profiles?

A user profile is a collection of folders and data that stores your current desktop environment, application settings, and personal data. It also contains all the network connections that are established when you log on to a computer, such as Start menu items and drives mapped to network servers. The user profile maintains consistency by providing the same desktop environment every time you log on to the computer.

User profile Settings include

Short cuts in start menu,desktop and quick launch bar.

Documents on desktop

Internet explorer favourites and cookies

Certificates

Application specific files

My network places              ,          Desktop display settings such as Wall paper,screen saver etc.

Local user profile:  Windows XP Professional creates a user profile the first time that a user logs on at a computer. After the user logs on for the first time, Windows XP Professional stores the local profile on that computer.

Roaming user profile:   It is especially helpful in a domain environment because it follows the user around, setting up the same desktop environment for the user no matter which computer the user logs on to in the domain. A roaming user profile is based at the server and is downloaded to the local computer every time he logs in. The first time a user logs on to a computer, Server 2003 copies all documents to the computer and thereafter when the user logs on to the computer, server 2003 compares the locally stored user profile files and roaming user profile files. It copies only the files that have changed since the last time the user has logged on at the computer.

To configure an RUP,create a shared folder on a server.ideally the server shold be a file server that is frequently backed up.Also need to make sure that the share permissions allow everyone full control.The windows server 2003 default share permissions allow read,which is not sufficient for a roaming profile share. This will be set in the profile tab of user properties dialogue box.Type the profile path in the format \\server\share\username .

Unlike earlier version of windows, windows server 2003 doesn’t download the entire user profile at logon and logoff.instead the user profile is synchronised.

Mandatory user profile:  A read-only roaming user profile is called a mandatory user profile. When the user logs off, the operating system does not save any changes made to the desktop environment during the session, so the next time the user logs on the profile is exactly the same as the last time the user logged on. We can create a mandatory user profile template first and add the users as desired. A hidden file in the profile called Ntuser.dat contains the section of  Windows server 2003 system settings that applies to the individual user account and contains the user environment settings.To configure a user profile as mandatory ,we must make it as mandatory by changing the Ntuser.dat to Ntuser.man (ntuser.dat is a hidden file and available in C;documents and settings\profile.

Temporary user profile: Only used for temporary users

18. What is Home folder?

In addition to the My Documents folder, Windows XP Professional allows you to create home folders for users to store their personal documents. You can store a home folder on a client computer, in a shared folder on  a file server, or in a central location on a network server.

Storing all home folders on a file server provides the following advantages:

• Users can access their  home folders from any client computer on the network.
• You can centralize backing up and administering user documents by moving the responsibility for backing up and managing the documents out of the hands of the users and into the hands of one of the network backup operators or network administrators

19. How you will create an OU?

    Open Active Directory users and computers. Right Click on the location where we want to create an OU (may be a domain or another OU).Point to new and select OU.

 20.From  where you will get password policy?

Computer Configuration-Windows settings-Security settings –Account policies-Password Policy

21.What is the difference between 2000 and 2003 AD?

Windows Server 2003 is grounded in the same Active Directory structure in Windows 2000 where each domain controller holds a read-write copy of the AD database, relying on multi-master replication to keep everything up-to-date. There are lots of changes made in the AD 2003.

1. By using ADMT (Active Directory Migration tool version 2.0) it is easy to migrate from Windows NT directory services

2. Domain Rename: We can rename the domain without reconstructing the entire domain.

3. Schema redefines: Schema attributes and Classes can be redefined if an error occurs in the original definition.

4. Group policy improvements: GPMC lets administrators manage Group Policy for multiple domains and sites within a given forest, all in a simplified user interface (UI) with drag-and-drop support. Highlights include new functionality such as backup, restore, import, copy, and reporting of Group Policy objects (GPOs).

5. In the Windows Server 2003 Active Directory Users & Computers MMC snap-in, you can now move an object from one location in the directory tree to another by using the familiar drag-and-drop method, rather than being forced to right-click the object and select "Move", as was the case in Windows 2000.

6. You can also now select multiple objects simultaneously for editing or deletion, and save commonly-used queries within the ADUC console window

7.  Windows Server 2003 includes a number of built-in command-line tools that were                               .           Not available in Windows 2000, including:

Dsadd , dsmove , dsrm , dsquerry , dsget

8. Another new feature is the "Install from Media" option for promoting new domain controllers into a domain. In Windows 2000, if you needed to install a domain controller at a remote location, you had to travel to the location.

9. Another significant change, particularly for larger environments, is a replication enhancement called linked-value replication for objects such as Active Directory group objects. In Windows 2000, a group's membership list was replicated as one single block of information.

10. Application Directory Partitions: Some directory information does not need to be globally available. This feature provide the capability to host data in the active directory without significantly impacting the network

11.Universal Group membership caching feature is not available in Windows 2000

 22.Rules for FSMO Replacement

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RID s.

• Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

• Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
• Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
• Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

• Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

• Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.

23.What are the benefits of AD over NT directory services?

1) In AD domains are organized in hierarchy .So the introduction of tree and Forest came.

2) Another difference is the application and configuration of trust relationships between

Domains in the same organization. Rather than establishing a mesh of one-way trusts

(as in Windows NT 4), Windows 2000 implements transitive trusts that flow up  and

 Down domain tree structure. This model simplifies Windows network administration

3) OU is introduced with 2000 Active Directory

Backup and Restore of AD

We can backup the active directory data with the help of Backup or Restore wizard. When we backup active directory it will backup all system components and distributed services that active directory requires. Collectively these components are known as system state data.(we can’t backup system state on remote computer)

Normal backup is the only type of backup supported by active directory.

Restoring Active Directory

2 types Non authoritative (Default) and Authoritative.

In Non authoritative restore, the distributed services on the domain controller are restored from the backup media and restored data is then updated through normal replication. Non authoritative is performed when a domain controller is failed totally due to hardware or software problem. The changes happened after that backup will be replicated by other domain controllers.

Authoritative restore

It brings a domain or container back to the state it was in at the time of backup and overwrites all changes made since the backup. We must perform an authoritative restore if we inadvertently delete users, groups or OU’s from active directory.

To authoritatively restore system state data we must run NTDS utility after we perform a non authoritative restore of system state but before we should restart the server. .Ntds utility allows to mark objects as authoritative. It changes the update sequence of an object and it will have a higher update sequence number.

24.How you will perform nonauthoritative restore?

We must first start the computer in a special safe mode called Directory services restore mode.

Then restore the system state

25.How you will perform authoritative restore?

Perform nonauthoritative

Restart

Press F8

Directory services restore mode

At the command prompt type Ntdsutil

At the ntdsutil prompt type authoritative restore

To restore entire directory type “Restore database”

To restore a specific object such as OU type “Restore subtree subtree_distinguished_name and type quit

26.What do you mean by Transfer and Seizure of FSMO Roles.

Normally we will transfer an operation master role when we want to move a role from one server to another.

Size the operation master role is to move it without the co operation of its current owner. Normally we will seize when the domain controller holding that role fails and we do not intend to restore it. Seizing an operation master role is a drastic step that should be considered only if the current operation master will never be available again.

27.How you will identify the FSMO roles are failed?

Schema master failure :  When we try to modify the schema or try to install a program that modifies the schema during the installation.

Domain naming master failure:  When try to add a domain to a forest or try to remove a domain from a forest

RID Master failure:  When try to create new objects

PDC Emulator failure: .It will affect the network users and we should immediately seize the role

Infrastructure master failure: When moving or renaming a large number of accounts.

28. What is the step by step procedure of transferring a FSMO role?

To perform a role transfer both domain controllers should be available and connected to each other. To transfer RID, PDC Emulator or Infrastructure master Role

Click Active directory users and computers (For domain naming master-Domains and trusts)

Click connect to domain

Click connect to Domain controller

Select the domain controller and click o.k.

Right click AD users and computers, all tasks click operations master roles

Click RID and click Change like that complete.

Seizure is a two step process

1. We should check the domain controller seizes the role is fully up to date with repadmin tool and

Seizure with ntdsutil utility.

Steps:- Type cmd-Type ntdsutil-type Roles-type  Connections

Connect to server followed by FQDN then type quit

Then type: seize schema (for seizing the schema)press enter

Seize domain naming master press enter

Seize RID master and press enter

29.How you will check that replication is up-to-date?

With the help of Repadmin.exe(A support tool in support/tools)type cmd

C:.\repadmin/showutdvec server.microsoft.com dc=microsoft,dc=com.

30.Why it is not possible to place infrastructure master role with Global Catalogue Server?

If infrastructure Master and Global Catalogue are in same domain controller, Infrastructure master will not function. the infrastructure master will never find the data that is out of date, so it will never replicate the changes to the other domain controllers. If all of the domain controllers are hosting Global Catalogue all will have the current data .In such cases it is not a problem.

How to view the operation master role assignment?

AD> Users and computers>All tasks>Operation masters (RID,PDC,Infrastructure)

AD>Domains and Trusts>Right Click>Operation master>Domain naming master

AD>Schema snap-in (It should be installed seperately)>Operation masters

Active directory replication:  Replication ensures that changes to a domain controller are reflected in all domain controllers within the domain. The information stored in the directory is logically partitioned into 4 categories.Which are

Schema partition: This partition defines the objects that can be created in the directory and the attributes those objects can have.

Configuration partition: This partition defines the logical structure of the deployment including data such as domain structure or replication topology.

Domain partition : This partition describes all of the objects in a domain

Application directory partition: This partition stores dynamic application specific data in Active Directory.

A domain controller stores and replicates

·         The schema partition data for a forest: It contains the definitions of objects that can be created in the forest and the attributes those objects can have.

·         The configuration partition data for all domains in the forest: It contains objects that represent the logical structure of the forest deployment, domain structure and replication topology.

·         The domain partition data (all directory objects and properties) for its domain.This data is replicated to additional domain controllers.

Global Catalogue server stores and replicates

·         The schema partition data for a forest

·         The configuration partition data for all domains in  the forest

·         Partial replica containing commonly used attributes for all directory objects in the forest

·         Full replica containing all attributes for all directory objects in the domain in which the global catalogue is located

31.What are the actions that trigger replication?

Ø  Creating an object

Ø  Modifying an object

Ø  Moving an object

Ø  Deleting an object

Two ways of replicating active directory

Intrasite and Intersite

Intrasite Replication

Within a site Windows server 2003 service known as Knowledge consistency Checker automatically generates a topology for replication among domain controllers in the same domain using ring structure. The KCC is a built in process that run on all domain controllers. The topology defines the path for directory updates to flow from one domain controller to another until all domain controllers in the site receive the directory updates. The KCC determines which servers are best suited to replicate with each other and designates certain domain controllers as replication partners on the basis of connectivity, history of successful replication and the matching of full and partial replicas. When more than 7 domain controllers are added to a site the KCC creates additional connection objects to ensure that no domain controller is more than 3 hops distant from another domain controller. The replication data is not compressed .and transport protocol is RPC.

Intersite Replication

To ensure replication between sites, we should connect them manually by creating site links. Site links represent network connections and allow replication to occur. A single KCC per site generates all connections between sites. To save bandwidth data above 50 KB is compressed. And transport protocol is IP or SMTP.

How you will replicate forcefully?

4 methods

1.       Using  Active Directory Sites and Services

2.       Using Repdadmin

3.       Using Replmon

4.       Using a script

32.What is a Bridgehead server?

It is a single domain controller in a site, the contact point which is used for replication between sites. It is automatically designated by the KCC. The KCC automatically creates connection objects between Bridgehead Servers.

33.What is mean by trust relation ship and what are the different types of trust relationships?

A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. (Protocols are Kerberos V5 (default) and NTLM).

34.How GPO’s are applied?

1. Local GPO

2. GPOs linked to sites

3. GPOs linked to domains

4. GPOs linked to OU’s

35.What is a Resultant Set of Policy wizard?

It is provided to make the policy implementation easier. It is a query engine that works in two modes. Logging mode and planning mode. In logging mode the wizard polls existing policies and any applications associated with a particular user or computer and then reports the result of the query. In planning mode the wizard asks questions about a planned policy implementation and then reports the result of the query.