O slideshow foi denunciado.
Utilizamos seu perfil e dados de atividades no LinkedIn para personalizar e exibir anúncios mais relevantes. Altere suas preferências de anúncios quando desejar.

Active Directory

Active Directory Introduction
Active Directory Basics
Components of Active Directory
Active Directory hierarchical structure.
Active Directory Database.
Flexible Single Master Operations (FSMO)Role
Active Directory Services.
Some useful Tool

  • Entre para ver os comentários

Active Directory

  1. 1. Active Directory for Windows Server Sandeep Kapadane.
  2. 2. Index <ul><li>Active Directory Introduction </li></ul><ul><li>Active Directory Basics </li></ul><ul><li>Components of Active Directory </li></ul><ul><li>Active Directory hierarchical structure. </li></ul><ul><li>Active Directory Database. </li></ul><ul><li>Flexible Single Master Operations (FSMO)Role </li></ul><ul><li>Active Directory Services. </li></ul>
  3. 3. <ul><li>Active Directory Introduction </li></ul>
  4. 5. What is Active Directory ? <ul><li>Active Directory is Microsoft's version of X.500 recommendations. It 's database and directory service , which maintains the relations ship between resources and enable them to work together. It provide centralized repository for user account information and directory authentication , authorization and assignment of right and permissions. </li></ul><ul><li>It store information in hierarchical tree like structure . It depends on two Internet standard one is DNS and other is LDAP. Information in Active directory can be queried by using LDAP protocol and it use Kerberos V5 for authentication. </li></ul>
  5. 6. Do I Need Active Directory <ul><li>If I want to centrally manage access to resources such as printers, users and group. </li></ul><ul><li>If I want to control user accounts from one location. </li></ul><ul><li>If I have application that rely on Active Directory. </li></ul>
  6. 7. Active Directory Basic
  7. 8. The Basic <ul><li>X.500 Recommendations </li></ul><ul><li>Domain Naming System (DNS)‏ </li></ul><ul><li>LDAP </li></ul><ul><li>Schema </li></ul><ul><li>Replication </li></ul><ul><li>Global catalog </li></ul><ul><li>Components of Active Directory </li></ul>
  8. 9. What is X.500 Recommendations <ul><li>To address the needs of organizations, the Institute of Electrical and Electronics Engineers (IEEE) developed a set of recommendations that defined how a directory service should address the needs of administrators and efficiently allow management of network resources . These recommendations, known as the X.500 recommendations </li></ul>
  9. 10. Domain Naming System (DNS)‏ <ul><li>Domain Naming System (DNS) is the hierarchical naming and a domain name resolution system used on Internet and windows network for naming resolution. </li></ul><ul><li>It converts the domain name into its related IP address. </li></ul><ul><li>Active Directory is Depends of DNS , both share the same zone-naming conventions. If DSN server fail it cause to fail active directory too fail. </li></ul>
  10. 11. LDAP <ul><li>LDAP is a directory access protocol , which is used to exchange directory information from server to clients or from server to server . </li></ul><ul><li>Port number for LDAP is 389 . </li></ul><ul><li>It was initially used as front-end to X.500 , but can also be used with Stand-alone and other kinds of directory servers. </li></ul>
  11. 12. Schema <ul><li>The Schema acts as the building blocks of Active Directory. It holds all of the information needed to created users, groups, computers, and so on within Active Directory . The Schema defines the classes of objects that are allowed within a directory and attributes that are associated with those objects. These must be consistent across domain in order for security policies and access rights to function correctly. It defines how each attribute can be used and the properties associated with the attribute. </li></ul>
  12. 13. Schema Attribute <ul><li>To Standardize Active Directory , the Schema defines the attributes that can be used when creating objects. These attribute defined only once and can be used for any object. </li></ul><ul><li>Defining the attribute once and using it for multiple objects allows for a standardized approach of defining objects, </li></ul><ul><li>E.g.. of attribute is name </li></ul><ul><li>Each attribute within the schema has to have a unique OID (Object Identifier). </li></ul><ul><li>To be Continue........... </li></ul>
  13. 14. <ul><li>These OID are registered and maintained by the Internet Assigned Numbers Authority (IANA). Once assigned , the OID Should not be used by any other attribute. </li></ul><ul><li>New attributes will need to be assigned an OID . If you are adding an attribute for use in object , you should register it with the IANA to safeguard the attribute and to make sure that it does not step on any other attributes. Registration is free and as long as your OID is unique , you should be issued an OID for your attribute . </li></ul>To be continue .............
  14. 15. Schema classes. <ul><li>An object Class is a defined grouping of attributes that make up a unique resource type. </li></ul><ul><li>One of the most common object class is the user class. Use the user object class as the template for a user account. When you create a user , the attributes that are defined for the user object class are used to define the new account. </li></ul>
  15. 16. Replication <ul><li>Replication is Process of making a replica (a copy) of something. </li></ul><ul><li>Replication is the automatic synchronization of data that occurs among domain controllers. </li></ul><ul><li>Any changes to the user account are made on one of the domain controllers and the sent to every other domain controller within the domain this transfer of data is called replication. </li></ul><ul><li>Replication of information can be burden on network to reduce the replication burden on the network Active Directory replicates only the attributes that have been changed not the entire object. </li></ul>
  16. 17. Synchronization <ul><li>Process of making two or more data storage devices or programs (in the same of different computers) having exactly the same information at a given time. </li></ul>
  17. 18. Global Catalog <ul><li>Global Catalog maintains indexes about objects. It contains full information of the objects in its own domain and partial information of the objects in other domains. Universal Group membership information will be stored in global catalog servers and replicate to all GC's in the forest. </li></ul><ul><li>Port number for Global Catalog is 3268 </li></ul>
  18. 19. <ul><li>Component of Active Directory </li></ul>
  19. 20. Component of Active Directory <ul><li>There are two type of components </li></ul><ul><ul><li>Logical Components </li></ul></ul><ul><ul><ul><li>Domain </li></ul></ul></ul><ul><ul><ul><li>Tree </li></ul></ul></ul><ul><ul><ul><li>Forest </li></ul></ul></ul><ul><ul><ul><li>Organizational unit. </li></ul></ul></ul><ul><ul><li>Physical Components </li></ul></ul><ul><ul><ul><li>Site </li></ul></ul></ul><ul><ul><ul><li>Domain Controller. </li></ul></ul></ul>
  20. 21. <ul><li>Logical Component of Active Directory </li></ul>
  21. 22. Domain <ul><li>The Domain is the core unit of logical structure in Active Directory. All Objects which share a common directory database, trust relationship with other domain and security policies is know as Domain. </li></ul><ul><li>Each domain stores information about the objects that belong to that domain. </li></ul><ul><li>All Security polices and settings , such as Administrative rights, security policies, and Access Control Lists (ACL's), do not cross from one domain to another, </li></ul><ul><li>Domain Administrator has full rights to set policies only within domain they belong to. </li></ul><ul><li>Domains provide administrative boundaries for objects; manage security for share resources and unit of replication for objects. </li></ul>
  22. 23. Tree <ul><li>Trees are collections of one or more domains that allow global resource sharing. A tree may consist of a Single domain or multiple domains in a contiguous namespace. </li></ul><ul><li>Adding a domain to a tree becomes a child of the tree root domain. Domain will be called parent domain to which child domain is attached . A child domain can also have its multiple child domains. Child domain uses the name followed by parent domain name and gets a unique Domain Name System (DNS) . </li></ul>
  23. 25. Forest <ul><li>A Forest is a collection of multiple trees that share a common global catalog, directory schema, logical structure, and directory configuration. </li></ul><ul><li>The Primary security boundary for Active Directory is Forest, Which contain domain trees </li></ul><ul><li>Forests allow organizations to group their divisions which use different naming scheme, and may need to operate independently . But as an organization they want to communicate with the entire organization via transitive trusts, and share the same schema and configuration container. </li></ul><ul><li>The first domain you create in the forest is called the forest root domain. </li></ul>
  24. 26. Organizational unit <ul><li>It is a logical component of Active Directory and is used to organize users, groups and computers. </li></ul>
  25. 27. <ul><li>Physical Component of Active Directory </li></ul>
  26. 28. Site <ul><li>Site Contain Active Directory resources that are all connected by reliable high-speed bandwidth a minimum of 10 MB. Site membership is used in the logon process as a computer attempts to locate domain controllers in its own site first, in replication , in accessing global catalogues and in exchange server messaging infrastructure </li></ul>
  27. 29. Domain Controller <ul><li>Domain Controller is a single computer or Server that hold and controls Active Directory database. </li></ul><ul><li>It is the physical components of Active Directory and is used to control and manage the domains in a organization's forest. </li></ul>
  28. 30. Active Directory Hierarchical Structure
  29. 31. Active Directory Hierarchical Structure Forest root domain Domain Tree Domain Tree Domain Tree Forest
  30. 32. Active Directory Hierarchical Structure <ul><li>The Primary security boundary for Active Directory is Forest, Which contain domain trees. </li></ul><ul><li>There can be one or more domain trees in a forest though the first domain is designated as the forest root domain . A domain tree can contain multiple domains that share a common namespace. And regardless of the number of domain trees in a forest, there is centralized administration at the forest level with permissions to all domain trees. Each forest has an Enterprise Admins group as well as </li></ul><ul><li>to be continue...... </li></ul>
  31. 33. To to continue.... .... <ul><li>Schema Admins group. Member of there groups have authority over all the domain trees in the forest . </li></ul><ul><li>All domain controller within the forest share the same schema. </li></ul><ul><li>Each domain has a domain Admin group and administrators . </li></ul><ul><li>In a parent domain automatically have administrative permissions to all child domains through automatic transitive trust relationships. These type of structure is know as hierarchical structure. </li></ul>
  32. 34. <ul><li>Active Directory Database </li></ul>
  33. 35. Active Directory Database <ul><li>Active Directory stores its data in a file name ntds.dit. </li></ul><ul><li>In addition to using the database file , Active Directory uses log file that store information prior to committing it to database that are edb.log, edb.chk , res1.log, res2.log. By default , this file is located in %systemroot%/NTDS folder. </li></ul><ul><li>During AD installation , Dcpromo lets you specify alternative locations for these log files and database files or you can use ntdsutil to move database to alternate location after installation. </li></ul>
  34. 36. Move database to other location <ul><li>Start computer in directory service restore mode and log on with directory service restore mode Administrator account and open command prompt. Then type </li></ul><ul><li>Ntdstui l (press enter)‏ </li></ul><ul><li>Files (press enter)‏ </li></ul><ul><li>Move DB to <new directory location path> (press enter.)‏ </li></ul>
  35. 37. Move log file to other location <ul><li>Start computer in directory service restore mode and log on with directory service restore mode Administrator account and open command prompt. Then type </li></ul><ul><li>Ntdstui l (press enter)‏ </li></ul><ul><li>Files (press enter)‏ </li></ul><ul><li>Move logs to <new directory location path> (press enter.)‏ </li></ul>
  36. 38. <ul><li>Flexible Single Master Operations </li></ul><ul><li>(FSMO Role)‏ </li></ul>
  37. 39. What Are the FSMO Roles? <ul><li>FSMO roles are specialized services within Active Directory that should be performed only by a single domain controller. </li></ul><ul><li>There are five roles make up the FSMO ( Flexible Single Master Operations ) : </li></ul><ul><ul><li>Schema Maser. </li></ul></ul><ul><ul><li>Domain Naming Master. </li></ul></ul><ul><ul><li>Infrastructure Master. </li></ul></ul><ul><ul><li>Relative Identifier (RID )Master. </li></ul></ul><ul><ul><li>Primary Domain Controller (PDC) Emulator . </li></ul></ul><ul><li>All five of these roles coexist on one domain controller , or you can move them so that they all run on their own independent domain controller. </li></ul>
  38. 40. FSMO Role:- Schema Master <ul><li>The Schema master domain controller controls all updates and modifications to the schema . Once the schema update is complete, it is replicated from the schema to all other DC in the directory. </li></ul><ul><li>To update the schema of a forest, you must have access to the schema master </li></ul><ul><li>There can be only one schema master is the whole forest. </li></ul><ul><li>To see all FSMO role run the command </li></ul><ul><li>Netdom query /domain:<domain> </li></ul>
  39. 41. FSMO Role:- Domain Naming Master <ul><li>The Domain naming master domain controls the addition or removal of domains in the forest. </li></ul><ul><li>There can be only one domain naming master in the whole forest. </li></ul>
  40. 42. FSMO Role:- Infrastructure Master <ul><li>The Infrastructure Master Domain Controller responsible for updating an object's SID and distinguished name in a cross-domain. </li></ul><ul><li>There can be only one domain controller acting as the infrastructure master in each domain. </li></ul><ul><li>The infrastructure master (IM) role should be held by a domain controller that is not a global catalog Server . IF the infrastructure master runs on a Global catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a global catalog server holds </li></ul><ul><li>To be continue .......... </li></ul>
  41. 43. To be continue ...... <ul><li>A partial replica of every object in the forest . As a result, cross domain object references in that domain will not be updated and a warning to the effect will be logged on that DC event log. </li></ul><ul><li>If all domain controllers in domain also host the global catalog, all the domain controllers have the current data and it is not important which domain controller holds the infrastructure master role. </li></ul>
  42. 44. FSMO Role:- RID Master <ul><li>The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. </li></ul><ul><li>When DC creates a security principle object such as user or group it attaches a unique security ID (SID) to object. This SID consists of domain SID (The same for all SID's created in a domain) , and a relative ID (RID) that is unique for each security principal SID created in a domain. </li></ul><ul><li>Each DC in a domain is allocated a pool of RID that it is allowed to assign to the security principal it creates. </li></ul><ul><li>To be continue.... </li></ul>
  43. 45. To be continue ... <ul><li>When a DC's allocated RID pool falls below a threshold , that DC issues a request for additional RIDs to the Domain's RID Master. The Domain RID master responds to request by retrieving RIDs from the domains unallocated RID Pool and assigns them to the pool of the requesting DC. </li></ul><ul><li>At any one time there can be only one domain controller acting as RID master in the domain. </li></ul>
  44. 46. FSMO Role:- PDC Emulator <ul><li>The PDC emulator is necessary to synchronize time in an enterprise windows. </li></ul><ul><li>Windows 2000/2003 includes the W32Time time service that is required by the Kerberos authentication protocol. </li></ul><ul><li>All windows 2000/2003 base computes within an enterprise use a common time . The purpose of the time service is to ensure that the windows Time service uses a hierarchical relationship that controls authority and does not permit loops to ensure appropriate common time usage. </li></ul><ul><li>The PDC emulator of a domain is authoritative for the domain the PDC emulator at the root of the forest become authoritative for the enterprise. And should be configured to gather the time from an external source. </li></ul><ul><li>To be continue ... </li></ul>
  45. 47. <ul><li>All pdc fsmo role holders follow the hierarchy of domains in selection on their in bound time partner. </li></ul><ul><li>The PDC emulator role holder retains the following function. </li></ul><ul><ul><li>Password changes performed by other DC's in the domain are replicated preferentially to the PDC emulator. </li></ul></ul><ul><ul><li>Authentication failures that occur at the given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user. </li></ul></ul><ul><ul><li>Account lockout is processed on PDC emulator </li></ul></ul><ul><ul><li>Editing or creation of group policy objects (GPO) is always done from the GPO copy found in the PDC emulator's SYSVOL share, unless configured not to do so by the administer. </li></ul></ul><ul><li>An any one time there can be only one DC acting as PDC emulator master in each domain in the forest. </li></ul>
  46. 48. Viewing FSMO holder <ul><li>Command to check all fsmo Role holder in domain domain.local </li></ul><ul><ul><li>Netdom query fsmo /domain:domain.local </li></ul></ul><ul><li>Using Dcdiag: </li></ul><ul><li>Dcdiag /test:knowsofroleholders /v </li></ul><ul><li>You can find individual role holders with the dsquery command:- </li></ul><ul><ul><li>To find the Schema master </li></ul></ul><ul><ul><li>dsquery server -hasfsmo schema </li></ul></ul><ul><ul><li>To find the Domain naming master </li></ul></ul><ul><ul><li>dsquery server -hasfsmo name </li></ul></ul><ul><ul><li>To find the infrasturcture master </li></ul></ul><ul><ul><li>dsquery server -hasfsmo infr </li></ul></ul><ul><ul><li>To find the RID Master </li></ul></ul><ul><ul><li>dsquery server -hasfsmo rid </li></ul></ul><ul><ul><li>To find the PDC Emulator </li></ul></ul><ul><ul><li>dsquery server -hasfsmo pdc </li></ul></ul>
  47. 49. Active Directory Services
  48. 50. Active Directory services <ul><li>Distributed File System </li></ul><ul><li>Domain name System (DNS) server </li></ul><ul><li>File Replication </li></ul><ul><li>Intersite messaging </li></ul><ul><li>Kerberos key Distribution Center </li></ul><ul><li>Remote Procedure Call (RPC) Locator </li></ul><ul><li>Active Directory Domain Service (ADDS)‏ </li></ul><ul><li>Active Directory Lightweight Directory Services </li></ul><ul><li>Active Directory Federation Services </li></ul><ul><li>Active Directory Right management Service </li></ul><ul><li>Active Directory Certificate Service </li></ul>
  49. 51. Active Directory services <ul><li>Distributed File System :- Manages logical volumes across local and wide are network </li></ul><ul><li>Domain name System (DNS) serve r:- Responds to DNS queries and dynamic DNS Requests. </li></ul><ul><li>File Replication :- Allows files to be copied and maintained across multiple Servers. </li></ul><ul><li>Intersite messaging :- Allows Messages to be exchanged between windows servers. </li></ul><ul><li>Kerberos key Distribution Center: - Enables user to log onto domain using the Kerberos authentication protocol </li></ul><ul><li>To be Continue ............ </li></ul>
  50. 52. Active Directory services <ul><li>Remote Procedure Call (RPC) Locator : - Enables RPC clients using RpcNS*APIs to locate RPC Servers. </li></ul><ul><li>Active Directory Domain Service (ADDS) :- Stores all information about resources on the network , such as user, computer and other devices. </li></ul><ul><li>Active Directory Lightweight Directory Services:- Allows administers to create small version of Active Directory that run as non-operating system services. </li></ul><ul><li>Active Directory Federation Services:- Provides Web single Sign-on (SSO) technologies to authenticate users to multiple web applications in a single session. </li></ul><ul><li>To be continue ... </li></ul>
  51. 53. Active Directory services <ul><li>Active Directory Right management Service: - Protect and secure information from unauthorized use online and offline, inside and outside of the environment. </li></ul><ul><li>Active Directory Certificate Service : - Allows the mapping of users and resources to private key to help secure identity in public key infrastructure PKI base environment. </li></ul>
  52. 54. Finding highly privileged group membership <ul><li>You can view membership into highly privileged domain group using net.ext utility at command prompt. </li></ul><ul><li>net.ext group < domain-group-name > /DOMAIN </li></ul><ul><li>For eg to view membership in Domain Admins Group command is like : </li></ul><ul><li>net.exe group “Domain Admins” /Domain </li></ul>
  53. 55. Finding users that have not logged on since last month <ul><li>You can find such account in your organization's domain by using net.exe command </li></ul><ul><li>net.exe user < usernam e> /Domain </li></ul><ul><li>It return the domain account information about the user such as whaen user's password was last set , when the user's current password expires and when the user last logged on. </li></ul><ul><li>net.exe user Testuser /Domain </li></ul><ul><li>OR </li></ul><ul><li>net.exe user Testuser /Domain | findstr “Last logon” </li></ul>
  54. 56. SOME USEFULL UTILITY <ul><li>Repadmin </li></ul><ul><li>NetDiag </li></ul><ul><li>DCDiag </li></ul><ul><li>DNSCMD </li></ul><ul><li>DNSLint </li></ul><ul><li>Account lockout and management tool. </li></ul>
  55. 57. Repadmin <ul><li>the replication diagnostic tool more commonly known by its short name repadmin, can help to diagnose Active Directory replication problem between Domain Controllers </li></ul><ul><li>Its Verify replication consistency between replication partners , monitor replication status , display replication metadata, and force replication events and topology recalculation. </li></ul><ul><li>Using this tool administrators can look at the replication topology as seen from the point of view of each domain controller. </li></ul><ul><li>You can also use repadmin to force replication between domain controller or to manually create a replication topology. </li></ul>
  56. 58. Netgiag <ul><li>Check end to end network connectivity and distributed services functions. </li></ul><ul><li>The command line tool can be used to help diagnose and isolate connectivity issues in your network. It does this by performing a number of tests on the system and displaying network and configuration information </li></ul>
  57. 59. DCDiag <ul><li>DCDiag is a command line utility that will run diagnostic test s against the domain controller. It runs several tests , and output can span many screen. </li></ul><ul><li>If you want to perform specific tests against the domain controller, use the /test: switch for instance. If you want to make sure that the replication topology is fully interconnected issue the following command </li></ul><ul><li>Dcdiag /test:topology </li></ul><ul><li>To test that replication is functioning properly; issue the command </li></ul><ul><li>Dcdiag /test:replications </li></ul><ul><li>To view the status of global catalog replication use the command </li></ul><ul><li>dcdiag /v /s:domain_controller_name | find “%” </li></ul>
  58. 60. DNSCMD <ul><li>This command line tool is found in the support tools folder of the windows server CD and enable you to create , modify , and delete resource records and zones. </li></ul><ul><li>If you want to view the DNS information and statistics of server type </li></ul><ul><ul><li>Dnscmd <Sever name > /info </li></ul></ul><ul><ul><li>other useful switches with dnscmd are as follows </li></ul></ul><ul><ul><li>/Zoneinfo : this will display information about the target zone. </li></ul></ul><ul><ul><li>/DirectoryPartitioninfo : this command will display the directory partition information for target partition. </li></ul></ul>
  59. 61. DNSLint <ul><li>This is a command line utility for windows server 2003 and higher and is located in the support tools folder of the windows server cd . </li></ul><ul><li>It can be used to check for and verify DNS records and server functionality and to generate a report in HTML </li></ul><ul><li>dnsline /d domain_name | /ad [LDAP_IP_Address] | /ql input_file [/c] A [smtp,pop,imap] [/no_open] [/r report_name] [/t] [/test_tcp] A[/s DNS_IP_address] [/v] [/y] </li></ul><ul><li>eg:- </li></ul><ul><li>dnsline /AD </li></ul><ul><li>When using DNSLint you must specify one of three switches - /d, /ql , or /ad </li></ul><ul><li>/d : Diagnoses problem , /ql : verifies a user defined set of DNS records , /ad : verifies DNS records specifically used for active directory replication </li></ul>
  60. 62. Account Lockout and Management Tool <ul><li>The acctinfo.dll file is actuall part of the Account Lockout and management tools you can download from Microsoft. </li></ul><ul><li>Acctinfo.dll includes an additional property page for the user-account properties. This additional property page will allow you to determine when the account's password was set, when the password expires, when the user last logged on or off the domain as well as other lockout information. </li></ul><ul><li>LockoutStatus.exe display information concerning a locked out account. Use this tool to determine which computer were involved in the lockout by the account and when the lockout occurred . </li></ul>
  61. 63. Reference <ul><li>Google </li></ul><ul><li>Mastering Active Directory for windows server 2008 by john A.Price </li></ul><ul><li>Microsoft press Exchange server 2003 </li></ul>
  62. 64. THE END