Active Directory for Microsoft Windows 2000

This hopes to be an action-oriented trace through the Active Directory infrastructure associated with Microsoft's Windows 2000—a trace of events from logon rather than mere definitions of fragmented concepts. Better for troubleshooting.

Microsoft Active Directory Disaster Recovery
... on Dissimilar Hardware [Q263532]

Maintaining Active Directory: Reducing the Directory and Removing Orphaned Objects

Topics this page:

Site Map  
About this site  

Related Topics:
Windows 2000 Installation and
Administration 
TCP/IP 
ISO Layers 

Free Training! 
Technical Support 

What's The Big Deal?

From Windows 2000 Active Directory by Joe Francis at Microsoft

Active Directory delivers network operating system services like a dial tone:

• A focal point for management of network elements (users, applications, devices, etc.)
• Trusted repository of security data for authenticaiton and authorization.
• An Open Platform for application development and integration with other systems.

Accessing Active Directory using Perl

Get Yourself Certified on MS Directory Services Infrastructure

To help those taking Exam 70-217, Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure for the Windows 2000 MCSE, Microsoft offers Official Curriculum (MOC) used by CTEC's in instructor-led course 2154 - Implementing and Administering Microsoft® Windows® 2000 Directory Services.

To help those taking Exam 70-219, Designing a Microsoft Windows 2000 Directory Services Infrastructure, Microsoft offers Official Curriculum (MOC) used by CTEC's in instructor-led Course 1561 - Designing a Microsoft Windows 2000 Directory Services Infrastructure.

Active Directory Architecture

Three critical MMC snap-ins are used to administer Active Directory. They are:
• Active Directory Users and Computers: Accounts for Logon Groups Partitions Domain Controllers Foreign Security Principals Builtin System Settings Resources
• Active Directory Domains and Trusts
• Active Directory Sites and Services

Item	Organized around	Stored
Sites	Physical IP Subnets	...
Domains	Logical	AD
Domain Controllers	Physical servers	...
OUs (Organizational Units)	Logical	Values in AD
Global Catalog	Physical server	...

Local account information for each Windows 2000 machine is stored in a SAM database file (just as it did in NT4).

The SAM database file on a W2K domain controller is used only for directory services restore mode.

Information on domain accounts (password hashes) are stored in the Active Directory database file on a domain controller located at %systemroot% \ntds\ntds.dit.

Logon Accounts

When a user logs on...

Attribute Value	Type	Usage	Scope of Uniqueness
Using an X.500 attributed naming convention: CN=JohnDoe C= (2 character Country Code) O= (Organization - up to 64 characters) OU= (Organizational Unit - up to 32 characters) CN= (Common Name - up to 80 characters) in Users container DC=domain1 domain name DC=com Domain_root (the root domain which contains the object)	DN (Domain Name)	specifies the complete path to the location of an entry (an object) in a container hierarchy	Complete path: Must be unique in its forest because every object in AD has an LDAP DN.
John Doe	RDN (Relative Domain Name)	LDAP searches within an identified domain	Canonical: Must be unique in its own OU, not the entire directory.
JohnDoe@domain1.com	UPN (User Principal Name)	logon name -- Each AD user has one.	Contextual: Must be unique within a single domain
domain1\JohnDoe	Downlevel Login Name	backward comptibility with NT	NetBIOS network stored in a SAM on a DC.

During logon authentication, the DC locator service responds to user logon attempts by searching for the closest site on the same TCP/IP subnet (LAN segment) as the user.

Sites on Network

Sites usually correspond to a common physical (geographical) location on one or more unique TCP subnets (ranges of IP addresses). This is because sites are used to organize LAN and WAN segments to optimize network traffic patterns.

In BackOffice products such as Microsoft Exchange Server, a site is a logical grouping of servers that can be specified without regard to physical location of the servers themselves. Before Windows 2000, the Microsoft Exchange product used the concept of sites -- servers “well-connected" with each other. Machines within a site are usually connected by a high-speed high-bandwidth (10/100 mbps) LAN rather than a slow-speed (dial-up) WAN.

Sites exist as server and configuration objects within the Global Catalog. Site configuration objects are used to configure replication paths.

Sites are NOT part of the logical namespace of domains.

Global Catalog

User authentication begins with access to a global catalog server. Users are then refered to a domain controller for logon to a domain. The Netlogon service uses a secure channel to pass credentials to a domain controller.

To designate a DC to be a Global Catalog server, check the "Global Catalog" property setting in the "Active Directory Sites and Services" MMC snap-in.

• Each global catalog server is part of a physical site for supporting logon authentication and replication.
• For redundancy and load balancing, each major site should have two or more GCs.
• The global catalog servers within the same MDT have the same schema of objects. Each Global Catalog contains:
  • a full replica of all objects in the host domain
  • a partial replica (not all attribute values) of objects in other domains in the MDT.

Fault tolerant Dfs (Distributed File System) does not reference the Global Catalog.

By default, AD uses ports 445, 389, 88, 123, 135, 3268 for a GC, and 1025 or 1026 for logon and AD replication.

Domains Are Administrative

A domain is an administrative boundary for security, replication, and authentication.

Several domains can be joined into trees which share a common schema.

When a user logs on to any Windows 2000 machine, it sends the domain user account's authentication information to the domain controller specified by the UPN entered by the user.

A local user account has permission only for the local machine, not the domain.

Each domain is a container for AD information. Because Windows 2000 enables domains to identify parent-child associations, Domains can now mirror the administrative hierarchy of an organization.

From Program Files Administrative, use "Active Directory Users and Computers"

• Each domain must have its own domain controller to store the domain directory containing account information for a domain.
• Windows 2000 does not use NT4 "Primary" and "Backup" controllers. All domain controllers are equal with the Windows 2000 “multi-master" model.
• All changes made to one domain controller are replicated to all other domain controllers on its domain.

  Dommon.exe Domain Monitor [from the Resource Kit] monitors the status of Replication and Trusts for Domain Controllers within user-selected Domains.

  

• To simplify the granting of permissions, users are usually organized into groups to which permissions are assigned.

Microsoft does not provide a report that presents who manages a specific user.

Groups

To add, display, or modify global and local groups (Aliases):
NET LOCALGROUP
NET GROUP (on domain controllers)

For more information, use command

NET HELP GROUP
Types of groups:
• Security groups can be granted permissions:
  • container object permissions
  • individual object permissions
  • attribute object permissions

• Distribution groups cannot be used to grant permissions, only to send email.

The scope of groups: A G (U) DL P

• Domain local groups are valid in a single domain.
• Members of Universal groups can be from any domain. This is available only if Windows 2000 is in native mode.
• Members of Global groups are from a single domain can access resources in other domains. Permissions are never assigned directly to global groups.
• In Windows 2000, Global groups can nest other global groups from within their own domain, but they don't appear in the GC.

• A group can only belong to a single OU.

.

Namespaces: Active Directory Architecture

The Active DirectoryT service in Microsoft® Windows® 2000 is directory service designed for distributed networking environments. Active Directory lets organizations share and manage information about network resources and users, and it acts as the central authority for network security.

To export a list of AD objects in Line Delimited format (ldfz), use this utility installed with Windows 2000 Server (not Pro):

LDFIDE -f Export_file_name
Q263991 - How to Set a User's Password with Ldifde

To exports AD contents into Comma Seperated Values (csv):

CSVIDE
Step-by-Step Guide to Bulk Import and Export to Active Directory
• Each domain controller in a forest holds a copy of the Active Directory database, which is replicated to other domains.

• The Active Directory database file is named ntds.dit in default folder %systemroot% \Ntds.
• The Schema.ini file defines AD configurations.

• Active Directory services are provided from the Directory Service module Ntdsa.dll of the LSA server service that enforces security policies in the Active Directory. The Security Accounts Manager (SAM) enforces policies stored locally.
• The ESE can theoretically store up to 10 million objects per domain in a Active Directory database up to 17 terabytes.
• The Directory System Agent (DSA) is the actual process that manages the directory's physical storage.
• At the top of the namespace is a rootDSE object configuration container which holds the internal logical architecture of the Active Directory.
• AD defines 4 Naming Contexts: schema, sites, partitions, and services.

Activewin's excellent Step-by-Step Guide to Managing Active Directory

Brian Brown's Windows 2000 tutorial mirrored on academic sites around the world.

Microsoft's Active Directory Overview This white paper explains Active Directory and how it benefits organizations that deploy it; this information will be helpful to Microsoft partners proposing Windows 2000 to their customers.

Partitions for Replication

• The AD database contains 3 Partitions (units of replication):
  • Domain Directory Partition unique to a domain, replicated only within controllers in a single domain.
  • Schema Directory Partition
  • Configuration Directory Partition

  Schema and Configuration partitions are replicated to all DC's Enterprise-wide.

  Situation	Strategy
  Users are organized strictly by location	Create OU's or domains for each division
  Many employees are involved in inter-company ventures	Create a versatile yet logical structure
  Many employees frequently move among different divisions	Organize users into a single domain rather than separate domains.
  There is many frequent changes in (temporary) employees	Use global groups
  There is few changes among permanent employees	Use universal groups

.

Schema Objects

Each network resource (computer, drive share, printer, etc.) exists as an object in an Active Directory schema, which is like the data dictionary to a table.

The default schema provided with Windows 2000 contains 140 classes of __ objects with 850 attributes.

Each object has distinctly named attribute properties and property values which can be extended and searched. An Attribute definition within AD contains:

• Object Name
• Object Identifier
• Syntax (for its data type: Boolean true/false, text mask, etc.)
• Optional Range Limits

Have Some Class

Objects that share common attributes (such as printers - a type of object) can be grouped into a class. Objects are actual instances of object classes. A class definition in the schema contains:
• Object Name
• Object Identifier
• "May Contain" Attribute
• "Must Contain" Attribute
• Parent Classes
• Auxiliary Classes

In other words, objects belonging to the same class have the same attributes, but contain different values.

A child class derived from an existing class inherits the attributes from the existing class.

Containers

Objects within a domain are organized into containers of Organizational Units (OU's) which mirror an organization's departments. This allows for easier delegation of permissions, done by placing objects in an OU and granting permissions to the OU.
• Objects are also organized logically into administrative organizational groups such as Finance or Sales.

• User accounts added to a domain are copied to all domain controllers on that same domain.
• Differences between Schema Masters and Domain Naming Masters. ???
• The Directory schema defines the universe of objects that can be stored in an entire forest.
• All domains in a tree must share their Configuration information (such as the replication topology).

  To initialize the first domain and forest ("Default-First-Site-Name" in Sites and Services) use the dcpromo Active Directory Installation Wizard

  1. Create a domain controller
  2. "Create a new domain tree"
  3. Chose "Create a new forest of domain trees" or "Place the new domain tree in an exiting forest"
  4. input the root name of the domain.
• The default location for the database and log files is %systemroot% \Ntds on the shared system volume %systemroot% \Sysvol
• New to Windows 2000 is the ability to delegate Authority. Some guidelines for delegation:
  • Delegate at the OU level.
  • Avoid delegation at the attribute level.

Schema Management

The AD schema is usually viewed using the "Active Directory Schema" MMC, which enable classes to be modified or deactivated.

The "ADSI Edit" MMC from the Windows 2000 Resource Kit views CN and DN information.

To add a property to a user account using ADSI:

• Register the dll:
  regsvr32 %systemroot% \system32\schmmgmt.dll
• Login as user in the "Schema admins" universal group.

AD Schema Extensibility

To AD-enable applications such as MS Exchange, Lotus Notes, or Novell Directory Services, Schema Administrators may add to the AD schema using Microsoft's ADSI, a set of API's that expose AD functionality to applications written in C, C++, and other programming languages. ADSI is a part of Microsoft's ODSI, which, in turn, is part of WOSA and Microsoft's COM (Component Object Model).

How much is the LDAP C API [RFC 1823] used?

.

Searching with LDAP

Enumprop [from the Resource Kit] enumerates properties such as the /security descriptor or /attributes for objects within a user-supplied LDAP path:
enumprop /ATTR:objectGuid,objectSid,distinguishedName
“LDAP://cn=administrator,cn=users,dc=user5,dc=com"

Security Precautions

• Rename the default "Administrator" userid.
• For occassional users, grant network and utility permissions to the built-in Guest account.
• Set the maximum length of a User name 20 characters
• Passwords:
  • Ensure passwords contain lower and upper case
  • Set minimum password lengths.
  • Enable password histories
  • Install on machines PASSFILT.DLL and “strongpass.dll” from Ntsecurity.nu, which enhances restrictions on passwords even further.
• Define organizational conventions for:
  • resolving duplicates (add number, dept., middle initial, etc.)
  • time of day for access
  • Password must contain at least a certain length, upper & lower case, a number.
  • Must password change on first login.
  • Time before expiration/warning.
  • Logon to which machines
  • Deny dial-up/VPN access

• Windows assigns to each object a permanent 128-bit GUID (Guaranteed Unique IDentifier) based on the current time stamp, the network adapter card's MAC Address, etc.
• Windows 2000 does not use NetBIOS names used by Windows NT 4.

• When a user logs on, the domain controller returns an access token containing the user SID (Security ID) and group memberships.
• This token is compared to the ACL (Access Control List) of the resource on a domain.
• ACL's are populated by Access Control Entries (ACE's).

• An organization may have several domains for several reasons:
  • Allow for different groupings (alternative organizations)
  • Segment high network traffic into two subnets
  • Enable decentralized IT administration (each with different set of permissions)
• OU's are nested under another OU to build a hierarchy in a domain. This provides for greater control.

Domain Forests

• A forest, or multi-tree forest (MTF), is a collection of separate trees. is a collection of trees They usually come about from a corporate acquisition or merger.
• A domain forest does *not* form a continguous namespace. Each forest has its own (hetereogenious) schema.
• So, User accounts in one forest are not valid in another forest.

  Trusts

• A forest can be connected by two-way trust relationships between different root domains which share a common Active Directory. Two-way trusts are transitive -- implicit.

• Unlike NT4, which requires a two-way trust to be explicitly created to each domain, when Windows 2000 adds a domain to a domain tree, it automatically creates a trust relationship between domains in a forest. This is one of the main benefits from upgrading to Windows 2000.
• The first domain controller defined in a forest is created with default name “Default-First-Site-Name".
• It permanently retains the domain-naming master role.
• This is why Microsoft recommends that the first NT4 server converted to Windows 2000 should be the NT4 PDC.
• Access between forests are estabalished with one-way explicit trusts between different Active Directory directories.
• Explicit trusts are not transferable as with transitive trusts.

DNS (Domain Name System)

• Each child domain requires a DSN subdomain.
• Forward DNS lookup query resolves a name to a given IP address.
• A reverse DNS lookup query resolves an IP address for a given name.

  Each DNS zone database file contains SRV resource records which point to DNS hosts running Active Directory. In Windows 2000 native mode, it can be larger than the 40 MB limit NT4 had.

  They must be registered manually on Windows NT, which does not dynamically update DNS. They are stored in Netlogon.dns files on %systemroot%\System32\Config and read by the DNS MMC and updated by standard DNS zone transfers.

  Active Directory Integrated Zones are replicated through Active Directory to provide fault tolerance for DNS.

Permissions

Read permission includes viewing the object owner and permissions as well as the object attributes.

Full Control allows change permissions and assign ownership.

To create a domain (as the domain's eadmin -- Enterprise Admin):

• Non-members of the eaadmin group can pre-create a domain controller:
  1. Open a command-line utility:
  2. NTDSutil
  3. domain management
  4. precreate DC=sales,DC=mycompany,DC=com server1.mycompany.com

...

Trees

Domains with a common root name share a contiguous namespace which organize domains into a hierarchical tree.
• Trees help structure delegation.
• Trees do not have their own boundary for storage and replication.
• Trees allow objects from one domain to access resources on another domain.
• Multiple Domain Trees (MDT's) have a single root domain.

  To implement a new tree in a forest, use the Active Directory Installation Wizard.

Directory Replication & Synchronization

Two methods:
• Each domain controller replicates domain partition to the next server in its own domain ring using uncompressed RPC (Remote Procedural Calls) protocol over TCP/IP, a synchronous transport. This type of replication occurs every 5 minutes by default.
• Inter-site replication traffic between sites use dynamically assigned port numbers using compressed asychoronous SMTP email traffic via the IIS5 service and Collaboration Data Objects (CDO v2) interface.
• In a multi-site topology, a domain controller may be a Bridgehead for contact with adjacent sites.
• Inter-site Transports topology is controlled by settings for the cost of each link.

  DCs fulfill five Flexible (Floating) Single-Master Operation (FSMO) roles for replication: Roles:

  1. The PDC Emulator (PDC Advertiser) acts as the PDC for down-level BDCs in mixed mode operation. In native mode, it is the first to receive replications and logon requests from other DCs. So, there can only be one of these per domain.
  2. The Relative ID Operations Master administers allocation of Relative ID sequences of the SID. So, there can only be one of these per domain.
  3. The Infrastructure Master administers additions or changes in user/group mappings. So, there can only be one of these per domain.
  4. The Domain Naming Operations Master administers addition or removal of domains in a forest or cross-references to external directory services (such as on Exchange and Novell). So, there can only be one of these per forest.
  5. The Schema Operations Master administers schema updates and changes within its own forest. So, there can only be one of these per forest.

  Use NTDSUTIL.exe (the Swiss Army knife) on the domain controller which wants to seize the role.

  Use Essentutl.exe to repair the database and to validate the database (integrity check to see if is damaged).

• For updates, Active Directory uses a multi-master model where all domain controllers are equivalent. All domain controllers perform replication. Categories:
  • Originating (committed) update to
  • Replicated update

USN

The domain controller maintains a sequential Update Sequence Number (USN) counter. When an object is created, it is assigned an Original USN imcremented from the USN counter.
• To prevent both loss and duplication replication, stamp number for object on each of the other servers in the domain.
• The Current USN is also assigned to any object when it is changed. View them in "Advanced Features" object properties.

  For Propegation Dampening, each domain controller maintains a table containing the identifying GUID of other domain controllers and two vetors: An Up-to-date vector containing the largest originating USN from each of the otehr domain controllers and a High watermark vector

  For each attribute of each object, the domain controller maintains a Version number and timestamp of when the last update occured.

  Replication Latency = Propegation delay toward Replication Convergence, when all updates have been processed.

• The Knowledge Consistency Checker automatically (dynamically) generates a replication topology which allows for at least two connections to every domain controller.

• Synchronization (mapping) between two different schemas (two different implementations of directory services) is done by an agent -- security principal.

• Perfmon "NTDS" object counters "DRA Inboud/Outbound Bytes Total/Non-compressed/Compressed"