Windows AD

What is an Active Directory?

  • Active Directory is a directory service provided by Microsoft to centrally manage objects in a domain network. Users, Computers, groups etc are all objects. For example, a user can be considered as an object with attributes such as First Name, Last Name, Phone Number etc.

AD objects

  • AD is based on LDAP version 2 and 3.
  • AD uses Microsoft’s version of Kerberos protocol and DNS. Kerberos is a network authentication protocol.
  • AD LDAP port: 389

Important Folders in AD

three folders while installing AD

Replacing Primary (and Secondary) Domain controller (due to hardware issue) by performing Seizing FSMO roles and metadata cleanup

https://theamvj.wordpress.com/2016/11/11/replacing-primary-and-secondary-domain-controller/

Functional Levels in AD

Functional levels determine the available Active Directory Domain Services (AD DS) domain or forest capabilities. They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

You cannot set the domain functional level to a value that is lower than the forest functional level. For example, if you set the forest functional level to Windows Server 2008, you can set the domain functional level only to Windows Server 2008.

http://technet.microsoft.com/en-us/library/cc771294.aspx

To Raise Forest functional level:

Note: You need to have Enterprise Admin privileges to do this.

Open AD Domain and Trusts -> right click the top section and select Raise Forest functional level

forest-functional-level

 

 

 

 

 

To Raise Domain functional level:

Open AD Domain and trusts -> Right click the domain -> Select Raise Domain functional level

domain-functional-level

 

 

 

 

 

 

Advantages of upping functional level from 2003 to 2008

Distributed File System Replication (DFSR) replication support for the Windows Server 2008 System Volume (SYSVOL)
•Domain-based DFS namespaces running in Windows Server 2008 Mode, which includes support for access-based enumeration and increased scalability.

•Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol.

•Last Interactive Logon Information
Last Interactive Logon Information displays the following information:

The total number of failed logon attempts at a domain-joined Windows Server 2008 server or a Windows Vista   workstation
The total number of failed logon attempts after a successful logon to a Windows Server 2008 server or a Windows Vista workstation
The time of the last failed logon attempt at a Windows Server 2008 or a Windows Vista workstation
The time of the last successful logon attempt at a Windows Server 2008 server or a Windows Vista workstation

•Fine-grained password policies
Fine-grained password policies make it possible for you to specify password and account lockout policies for users and global security groups in a domain.

Source: https://www.experts-exchange.com/questions/28448072/Benefits-of-Raising-the-Domain-and-Forest-Functional-Level.html

———————

Windows 2008 R2 versions

windows-2008-r2-versions

windows-2008-r2-edition-comparison

What is new in Windows 2008 server?

  • Active Directory Application Mode (ADAM).
  • Active Directory Federation Services (AD FS)
  • Active Directory Rights Management Services (AD RMS)
  • Active Directory Certificate Services (AD CS)
  • Read -only domain controllers (RODCs)
  • Active Directory on Windows Server Core installation

Group policy. step-by-step guide

https://technet.microsoft.com/en-us/library/bb742376.aspx#EDAA

Windows AD groups

There are three different group scopes; domain local, global and universal.

Group Visibility Members Can contain
Domain local Group is visible to own domain Can contain users and group from same domain Global groups and universal groups
Global Group is visible throughout the forest Can contain users and groups from same domain Global group from own domain
Universal Group is visible throughout the forest Can contain users and groups from any domain in the forest Global and universal groups from any domain

Domain Admin, Enterprise Admin & Schema Admin

domain-enterprise-schema-admins

NTDS.dit

NTDS.dit is the AD database. It is located in C:\Windows\NTDS folder

Below are the contents of NTDS folder

ntds-contents

SYSVOL

Sysvol Folder contains Group policies, Logon and logoff scripts. C:\Windows\SYSVOL

sysvol

sysvol-2

Important services in a Domain controller

https://theamvj.wordpress.com/2017/01/25/important-domain-controller-services/

How to rename a Domain controller

http://www.dell.com/support/article/us/en/19/SLN156264/windows-server—how-to-rename-a-domain-controller?lang=EN

http://www.rebeladmin.com/2015/05/step-by-step-guide-to-rename-active-directory-domain-name/

https://community.spiceworks.com/how_to/103538-properly-renaming-a-domain-controller-server-2012r2

AD Partitions

Directory partition is where the AD information is segregated and logically stored. Schema, Configuration and Domain partitions are native partitions.

ad-partitions1

Note: Schema and configuration partitions are known as Enterprise partitions.

  • Configuration: The configuration partition or naming context (NC) contains objects that relate to the logical structure of the forest, structure of the domain, and replication topology. Each domain controller in the forest contains a read/write copy of the configuration partition. Any objects stored in the configuration partition are replicated to each domain controller in each domain, and in a forest.
  • Domain: The domain partition or naming context (NC) contains all objects that are stored in a domain. Each domain controller in a domain has a read/write copy of the domain partition. Objects in the domain partition are replicated to only the domain controllers within a domain.
  • Schema: The schema partition or naming context (NC) contains objects that can be created in the Active Directory directory, and the attributes which these objects can contain. Domain controllers in a forest have a read-only copy of the schema partition. Objects stored in the schema partition are replicated to each domain controller in domains/forests.
  • Application: The application partition is a new feature introduced in Windows Server 2003. This partition contains application specific objects. The objects or data that applications and services store here can comprise of any object type excluding security principles. Security principles are Users, Groups, and Computers. The application partition typically contains DNS zone objects, and dynamic data from other network services such as Remote Access Service (RAS), and Dynamic Host Configuration Protocol (DHCP).

Active Directory® Service Interfaces Editor (ADSI Edit) is a Lightweight Directory Access Protocol (LDAP) editor that you can use to manage objects and attributes in Active Directory Domain Services (AD DS).

ADSI Edit (adsiedit.msc) provides a view of every object and attribute in an Active Directory forest. You can use ADSI Edit to query, view, and edit attributes that are not exposed through other AD DS Microsoft Management Console (MMC) snap-ins: Active Directory Users and Computers, Active Directory Sites and Services, Active Directory Domains and Trusts, and Active Directory Schema.

In the Windows Server® 2008 and higher operating system you can use ADSI Edit to administer fine-grained password and account lockout policies. For more information, see the Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration (http://go.microsoft.com/fwlink/?LinkID=91477).

Duplicate SID

https://pubs.vmware.com/vsphere-51/index.jsp?topic=%2Fcom.vmware.vsphere.vm_admin.doc%2FGUID-F3E382AB-72F6-498A-BD26-7EC0BFE320A0.html

” You can prevent Windows from assigning new virtual machines or templates with the same Security IDs (SIDs) as the original virtual machine. Duplicate SIDs do not cause problems when the computers are part of a domain and only domain user accounts are used. However, if the computers are part of a Workgroup or local user accounts are used, duplicate SIDs can compromise file access controls. “

FSMO roles

FSMO roles are automatically installed during domain creation and there is a very little reason to move them. If you decommission a DC or a failure of a DC, you need to know about recovering the roles / transfer to another DC.

http://support.microsoft.com/kb/324801

http://www.petri.co.il/determining_fsmo_role_holders.htm

http://www.petri.co.il/understanding_fsmo_roles_in_ad.htm

http://support.microsoft.com/kb/234790

Verify successful replication to a domain controller

http://technet.microsoft.com/en-us/library/cc794749%28v=ws.10%29.aspx

1. In Windows Server® 2003 and Microsoft Windows® 2000 Server, the directory service is named Active Directory. In Windows Server 2008 R2 and Windows Server 2008, the directory service is named Active Directory Domain Services.

——————

Multimaster Operations

A domain can deploy many domain controllers, and all domain controllers can accept Active Directory changes. Earlier versions of Windows NT used multiple domain controllers, only one of which was allowed to update the directory database. This single-master scheme required all changes to be replicated from the primary domain controller to the backup domain controllers.

In Windows 2000, every domain controller can receive changes, and the changes are replicated to all other domain controllers. The day-to-day operations that are associated with managing users, groups, and computers are typically multimaster operations — that is, changes to these objects can be made on any domain controller. There are some operations, however, that are not performed as multimaster operations because they must occur at only one place and time. For these operations, there are specially designated domain controllers that manage the operations singly.

Ex: Global catalog falls under Multi-master operations.

Single-Master Operations

Most operations can be made at any domain controller and the effects of these operations (for example, deleting a user object) are replicated to all other domain controllers that store a replica of the same directory partition in which the change occurred. However, there are certain operations that must occur at only one domain controller.

The domain controllers that are assigned to manage single-master operations are called role owners for the operations. (For more information about managing single-master operations, see “Managing Flexible Single-Master Operations” )

Ex: All FSMO roles falls under Single-Master operations

—————

2. FSMO – Flexible Single Master operations

By default, all the roles would be assigned to the controller domain during domain creation.

Roles

Command to find FMSO roles

Open command prompt:

NetDOM query FSMO or NetDOM /query FSMO (both are correct)

As you can see the below screenshot, all the FSMO roles are assigned to a single Domain controller.

fsmo-roles

Schema master – Controls and updates all schema modifications. There can be only one Schema master in the whole forest. Modifications include changes to an object / object attributes.

Every object in AD has some attributes. For ex: a user can have profile path, telephone numbers, first name and last name etc. Schema provides the definition of the object.

Each time the AD database is queried for a particular object, it is the Schema while provides the structure of the object. Schema make sure the attributes of an object are within the standard defined in AD.

Schema

Defines rules for object creation and modification for all objects in the forest. Use AD domain and trusts for viewing Schema Master.

In other words, Windows Active Directory uses the Schema for object creation or modification. Objects such as user, computer etc are different. Creating or modifying these needs different set of procedures. AD checks with Schema before doing these operations.

More: https://technet.microsoft.com/en-in/library/cc784826%28v=ws.10%29.aspx

ad-schema

Domain naming master – Controls addition or removal of domains in a forest. There can be only one domain naming master in the whole forest.

Relative ID master – Associates SID to a newly created object (ex: user or group). While IDs given to user, group or computer is SID. SID contain domain SID and a RID.

What is RID pool ?

  • Users, Computers and Groups are called Security Principals. Whenever a Security principal is created in AD it get unique ID called SID. SID contains Domain ID and Relative ID (RID).
  • Each domain controller is given a pool of RIDs by the RID master. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain.
  • Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL.
  • Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.
  • By default, RID pools are obtained in increments of 500. A maximum of 1,073,741,824 (230) RIDs can be assigned to objects in AD.

If RID master goes down, what are the consequences ?

RID master is responsible for assigning new SID (Security Identifier) to objects (User and computers) in AD. If it goes down, we can create objects only till the RID pool has RIDs. We cannot create any more objects than that.

SID vs RID vs GUID

SID:

Every Windows user, computer and service account has a unique alphanumeric characters called Security Identifier (SID).

Ex:

SID RIDFirst 5 digits usually represent well known SID (users or groups).

RID

The relative identifier (RID) Is a variable length number that is assigned to objects at creation and becomes part of the object’s security identifier. RID master is responsible for assigning RID to objects in the domain.

PDC Emulator – (Primary Domain Controller Emulator) is responsible for synchronizing time with clients. Also responsible for account lockout, bad password, authentication etc. At any one time, there can be only one domain controller acting as the PDC emulator master in each domain in the forest.

PDC Emulator role is considered important FSMO role in Active Directory

Infrastructure Master – The purpose of this role is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. There can be only one IM in a domain.

Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.

Global Catalog server (GCS)

GCS have full details about all objects in its domain and partial details about objects in other domains in the forest
GCS is Domain controller (usually a secondary / additional DC) that stores information of all objects in the forest. GCS stores full, writable replica of Schma and config directory partitions and a full writable replica of the domain directory partition of the domain.

In order for users to find resources in any domain in the forest (remember that each domain has a separate database), Domain Controllers can be made into Global Catalog Servers.

  • A Global Catalog Server contains partial information about every object in the forest.
  • Use of GC is they give faster search results.
  • GC is also used for user authentication. If GC is not available, user logon fails.
  • Global catalog queries port 3268 while LDAP queries port 389
  • Usually the secondary Domain controller are assigned as a Global Catalog server.
  • Have GCS if the number of users are more than 100.

Using this information, the user can conduct searches.

    • Global catalog (GC) is a role handled by domain controllers in an Active directory model.
    • The global catalog stores a full copy of all objects in the directory for its host domain and a partial copy of all objects for all other domains in the forest.
    • ‘Partial copy’ refers to the set of attributes that are most used for searching every object in every domain.
    • All domain controllers can be promoted as a GC.
    • GC helps in faster search of AD objects.
    • The replicas that are replicated to the global catalog also include the access permissions for each object and attribute.
    • If you are searching for an object that you do not have permission to access, you do not see the object in the list of search results. Users can find only objects to which they are allowed access.
    • Global catalog server clients depend on DNS to provide the IP address of global catalog servers. DNS is required to advertise global catalog servers for domain controller location.

Global catalog is needed for:

  • Forest wide searches
  • User logon
  • Exchange name lookups

How to find Global Catalog servers ?

Open AD sites and services, Expand the server -> Right click NTDS settings -> Properties

You can find Global Catalog is checked in the properties. Usually the secondary AD servers are Global Catalog servers.

global-catalog-server

One bloody good article on FSMO

http://archive.oreilly.com/pub/a/windows/2004/06/15/fsmo.html

—————–

Infrastructure Master and Global Catalog on same server

In general, Infrastructure Master and Global Catalog FSMO role should NOT be placed on the same Domain controller. If it is placed on same server then cross-domain object references in that domain will not be updated.

There are some exceptions:

  • All DCs in the Domain are also Global Catalog
  • The Forest contains only one Domain

Explanation for the Exceptions:

  • If we have only one domain, then the Infrastructure Master is Idle, it has nothing to do (because no cross-domain changes will exist at all as no other domain exists)
  • Infrastructure Master Holder is responsible of syncing Cross-Domain Group Membership Changes, it then replicate these changes to other domain controllers in the domain.
  • If all DCs are GCs then they already knows all things about Objects in the Forest (GC have full details about all objects in its domain and partial details about objects in other domains in the forest)

——————

Symptoms of FSMO problems

If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don’t work properly.

fsmo-problems

Rules for FSMO role placement

Since FSMO roles are crucial for the proper functioning of an AD-based network, it’s a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, however, this default roles assignment may not be appropriate, so you need to transfer some of your roles to a different machine to achieve optimal FSMO-role placement on your network. See KB 223787 and KB 255504 for how to transfer roles. KB 321469 also has information on how to transfer roles using scripts.

Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:

Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.

  • Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.

Rule 2: The Infrastructure Master should not be placed on a GC.

  • Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
  • Exception 1: It’s OK to put the Infrastructure Master on a GC if your forest has only one domain.
  • Exception 2: It’s OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.

Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.

  • Exception: If you’ve raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn’t need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.

Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.

  • Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.

————————-

Directory Services Restore Mode

If you Domain controller is crashed. We can restore them there is a Backup taken using System state backup. During the restore option we have to choose either Authoritative or Non-Authoritative restore. You will get this option in Domain controller restart -> F8 -> Directory Services Restore Mode.

Non-Authoritative : Used most commonly in cases when a DC because of a hardware or software related reasons, this is the default directory services restore mode selection. In this mode, the operating system restores the domain controller’s contents from the backup. After this, the domain controller then through replication receives all directory changes that have been made since the backup from the other domain controllers in the network.

Authoritative : An authoritative restore is most commonly used in cases in which a change was made within the directory that must be reversed, such as deleting an organization unit by mistake. This process restores the DC from the backup and then replicates to and overwrites all other domain controllers in the network to match the restored DC. The especially valuable thing about this is that you can choose to only make certain objects within the directory authoritative.

For example, if you delete an OU by mistake you can choose to make it authoritative. This will replicate the deleted OU back to all of the other DC’s in the network and then use all of the other information from these other DC’s to update the newly restored server back up to date.

authoritative-and-non-authoritative-restore

http://www.windowsnetworking.com/kbase/WindowsTips/Windows2003/AdminTips/ActiveDirectory/Authoritativevs.Non-AuthoritativeRestorationofActiveDirectory.html

———————————

Important services in Windows Domain controller

https://theamvj.wordpress.com/2017/01/25/important-domain-controller-services/

———————————-

System state backup

A system state backup can take backup of the following (if configured on the server):

  1. Boot files (boot.ini, NTLDR, NTDetect.com
  2. Windows Registry including COM settings
  3. SYSVOL (Group policies and Logon scripts)
  4. AD
  5. NTDS.DIT (AD database)
  6. Certificate store
  7. IIS
  8. Cluster service information

We can do Directory Services Restore Mode only if we take system state backup.

————————-

AD Domains and Trusts

  • Here we can see the Domain naming Master server. You can see the server name in Active Directory Domains and Trusts [ …Domain naming Master server name…]
  • Here we can see the Domain and forest functional level. Right click the root domain -> Properties
  • Here we can raise the Domain function level. Right click the root domain -> Raise Domain Functional Level…

AD Users and Computers

  • Here we can see and change the roles of RID Master, PDC Emulator and Infrastructure Master. AD Users and computers -> Right click the top or right click the Root domain and select All Tasks -> Operations Master… ->Click the 3 individual tabs to see RID, PDC and Infrastructure master.
  • Here we can see Raise Domain Functional level
  • Here we can connect to different Domain or Different Domain controllers.

AD Sites and Services

  • Here we can connect to different Forest (if we have)
  • Here we can see Global Catalog servers.
  • Here we can see servers in each sites.
  • Here we can see the Replication topology, Replication between the servers. We can also manually replicate between the Domain controllers here.

————————-

Tree
When you have multiple domains in the same namespace (e.g., ITFreeTraining.com, west.ITFreeTraining.com, and sales.ITFreeTraining.com), they are considered to be in the same tree. The tree also supports multiple levels of domains. For example, you could have west.sales.ITFreeTraining.com and east.ITFreeTraining.com in the same tree.

IC197061

Forest
A forest is a collection of one or more domains which may have one or more trees. What makes a forest unique is that it shares the same schema. The schema defines what and how Active Directory objects are stored. The schema defines the database for the whole forest but it should be remembered that each domain in the forest has its own copy of the database based on the schema.

Trusts
Parent and child domains are automatically linked by a trust. Users in different domains can use these trusts to access resources in another domain assuming that they have access. Trees in the forest are linked together via a trust automatically. This ensures that any users in any domain in the forest can access any resource in the forest to which they have access.

ad-trust

Trust types:

Parent / Child trust: Trust between Parent and Child domain that have common DNS namespace.

This trust is established when a child domain is created in a domain tree.

Tree Root trust: Trust between root domains in same forest.

Shortcut trust: Trust between two domains in different domain trees within same forest. Improves user logon times

External trust:  Trust between AD domain and Windows NT4 domain

Realm trust: Trust between AD domain and a non-Windows kerberos realm

Forest trust: Forest trust is created between two forests.

Trust ways:

Trust can be one-way or two-ways

One-way trust:

One-way trust is divided into 2 types: incoming and outgoing trust

Incoming trust: Trust is created in the trusted domain. Users in trusted domain can access resources in both trusted and other domain. Users in other domain cannot access resources in trusted domain.

Outgoing trust: Users in the other domain able to access network resources in initiating domain. Users in initiating domain cannot access resources in other domain.

Two-way trust: Users in both domains can access resources at other side.

Trusts can be explicit and Implicit

Implicit: Trust that are automatically established when we create a child domain. This is a two-way trust.

Explicit: Manually created trusts are explicit.

  • RODC
    • New feature in Windows 2008
    • Only have the read only copy of directory database
    • RODC will have all the objects of a normal DC in read only mode. But this doesn’t include passwords. RODC does not store password of accounts.
    • Updates are replicated to RODC by writable DC
    • Password caching : A feature which enables RODC to cache password of the logged in users.
    • Password Replication Policy: Determines whether the password can be cached or not.
    • DNS can be integrated with RODC but will not directly register client updates. For any DNS change, the RODC refers the client to DNS server that hosts a primary or AD integrated zone

Universal Group Membership Caching (UGMC)

Eliminates the need for Global Catalog for login authentication. If this feature is enabled on a server, any DC server can authenticate the user logon. UGMC locally cache the user’s membership in DCs and it is introduced in Windows 2003 server.

Use UGMC if users are less than 100 and don’t include large number of roaming users.

To enable UGMC

Goto AD sites and services

<<<<< pending !!! >>>>>>

——–

Recovering a deleted AD object

  • Use Directory services Restore Mode to recover a deleted AD object
  • Use AD recycle bin to recover the deleted AD object
  • Other option is by restoring if your DC is taken regular backup through say Symantec Netbackup

AD Recycle bin

This feature was introduced in Windows 2008 R2. This feature is disabled by default. You have to enable it.

There are two enable AD Recycle bin Feature:

  • Through PowerShell
  • ldp.exe

Prerequisites for enabling AD Recycle Bin:

Run Adprep to update your Active Directory schema with the necessary Active Directory Recycle Bin attributes. Membership in the Schema Admins group is the minimum required to complete

https://technet.microsoft.com/en-us/library/dd379484%28v=ws.10%29.aspx

Steps to enable AD Recycle Bin:

https://technet.microsoft.com/en-us/library/dd379481%28v=ws.10%29.aspx

AD Recycle bin step-by-step:

https://technet.microsoft.com/en-us/library/dd392261(v=ws.10).aspx

http://www.dell.com/support/article/us/en/19/SLN156374/en

Steps to recover deleted AD object:

We can recover deleted object using:

  • Through Powershell (Get-ADObject and Restore-ADObject cmdlets)
  • ldp.exe

https://technet.microsoft.com/en-us/library/dd379509%28v=ws.10%29.aspx

http://www.dell.com/support/Article/us/en/4/SLN156497/EN

———

Forest

Forest is a collection of AD domains that share a single Schema. All DCs in the forest share this schema.

Domain

Domain is a collection of objects such as users and computers which has a administrative boundary.

Organizational unit

OU is like a folder where we can move users and computers and assign restrictions / privileges.

Group policy

Processing of GPO is initiated from the client side rather than pushed from Domain controller. Group policy is used to create logon / logoff actions in AD. Group policy can control over 500 settings such as backgroup images to TCP/IP settings.

> We can deploy 999 group policies to an OU / object in AD.

LDAP
Light weight directory access protocol. It is a directory service.

Active Directory Integrated zones

AD Integrated DNS means AD server has DNS role.

DNS Zone transfer is taken care by AD replication. So no separate DNS replication is needed. This is needed if DNS is not an AD server.

———

In Windows 2000 & 2003  the directory service is called Active Directory. In Windows Server 2008 and Windows Server 2008 R2, the directory service is named Active Directory Domain Services (AD DS).

Regardless of the domain or function level, servers running Windows NT Server 4.0 are NOT supported by domain controllers that are running Windows Server 2008, meaning you MUST have additional DCs running Windows 2000/2003 to support older NT 4.0 servers.

Windows 2008 supports Windows NT servers SP 4


Replication

Bridgehead Server:

Bridgehead server is a Domain controller that is used to send replication information to one or more sites. It is the point of contact for other DCs in another site.

A server is designated as Bridgehead automatically or assigned manually. Manually we can do this through AD sites and services. If a server is manually designated as bridgehead and if its down, replication would not happen.

We can assign more than one Bridgehead server for a site.

Command to see the list of Bridgeheads in a Domain

repadmin /bridgeheads

————–

Replication

Once an Administrator makes changes in the Active Directory and if the AD database does not encounter any change for the next 5 minutes, Domain controller will replicate the database to its replication partner or other Domain controllers.

Technically speaking, replication initiates whenever there is a change in USN (Update Sequence Number) values between Domain controllers. Whenever there is a change in the object in the Domain controller, USN value increments. You can find that in AD sites and services -> Sites -> Servers -> NTDS Settings -> Properties -> Object.

usn

 

What is USN (Update Sequence number) ?

Every object in AD has a USN. As objects are modified, the USN increases like an odometer on a car. The latest USN on each DC is called the “high water mark”. During replication each DC compares its USN high water mark with the USN high water mark of its neighbours.

A domain controller tracks objects in AD based on their Update Sequence Numbers (USN).

AD Replication

u4

http://www.thenetworkencyclopedia.com/entry/update-sequence-number-usn/

Note: If no changes are made on all DCs, Replication will happen once every 6 hours.

DFS, DFSR

Distributed File System (DFS) has been around since Windows NT. It is also available in Windows 2000, Windows 2003 and Windows 2003 R2, and available as a legacy product in Windows 2008.

DFS used File Replication Service (FRS) for replication.

Microsoft delivered a completely new replication engine called Distributed File System Replication (DFSR) for Windows 2003 R2, and Windows 2008. Microsoft calls DFS as legacy replication system and the new one is DFSR.

Limitations of FRS and Legacy DFS
FRS replicates the entire file even if only a few bytes have changed. There’s an approximate limit of 65GB in a share that can effectively be replicated by DFS/FRS. Exceeding this limit results in inconsistency and poor performance.

The maximum tested file size is 64GB.

Each server can be a member of up to 256 replication groups.

Each replication group can have up to 256 replicated folders.

Each server can have up to 256 connections (for example, 128 incoming connections and 128 outgoing connections).

DFSR

The Distributed File System Replication (DFSR) service is a new multi-master replication engine that is used to keep folders synchronized on multiple servers.

SYSVOL replication in Windows 2008 R2 and above uses DFSR

Replicating data to multiple servers increases data availability and gives users in remote sites fast, reliable access to files. DFSR uses a new compression algorithm called Remote Differential Compression (RDC). RDC is a “diff over the wire” protocol that can be used to efficiently update files over a limited-bandwidth network. RDC detects insertions, removals, and rearrangements of data in files, enabling DFSR to replicate only the deltas (changes) when files are updated.

The DFSR service uses RPC to communicate between servers. It replicates a folder scope defined by the replicated folder path. The set of computers participating in replication is defined by a configured topology of connections and is called a replication group. Multiple replicated folders can be included in a replication group, with memberships selectively enabling or disabling specific replicated folders. The DFSR service uses WMI to configure server-wide parameters, while global parameters and certain replicated folder-specific parameters are configured using Active Directory. DFSR also uses WMI to expose monitoring information regarding specific objects such as replicated folders and connections.

Replmon vs Repadmin command line utilities

Repadmin

The Replmon utility was introduced with the Windows Server 2000 Support Tools.  But in Windows 2008, it was replaced with Repadmin.exe. Replmon is a tool to generally look at replication and keep an eye on the progress. It would be a tool to help ensure replication is healthy in the environment.

Repadmin
Repadmin can be used in the same way (minus the UI – it is all command-line) but repadmin also has a lot of switches that can be used to control replication.

Knowledge Consistency Checker (KCC)

KCC maintains replication topology. Replication Topology specifies what DC will replicate to which other DC in the site. KCC ensures changes made to a DC is replicated to all DC in a site.

In other words, the Knowledge Consistency Checker (KCC) is an Active Directory component that is responsible for the generation of the replication topology between domain controllers.

Active Directory Replication Topology Options: Active Directory Sites and Services are the logical presentation of physical WAN connectivity and switching of your LAN and WAN. The Active Directory replication topologies typically are:

  • Ring Topology: With intra-site replication, the KCC creates a ring topology that defines the replication paths within a site. In a ring topology, each domain controller in a site has two inbound and outbound replication partners. The KCC creates the ring so that there is no greater than three hops between domain controllers in a site.
  • Full Mesh Topology: This topology is typically utilized in an organizations where redundancy is extremely important for all sites. You can configure full mesh if you have IPWAN or MPLS connections in all sites. A mix of MPLS and ADSL or other method of connectivity do not constitute full mesh. A full mesh topology is quite expensive to manage and is not scalable.
  • Hub And Spoke Topology: This topology is typically implemented in large organizations where scalability is important consideration. In this topology, one or multiple hub sites exist that have WAN connections to multiple spoke sites. The hub sites are usually connected to each other through high speed WAN connections.
  • Hybrid Topology: The hybrid topology is combination of any of the above topologies. This is not a recommended topology even if you have high speed duct fibre or other WAN connectivity.

AD Manual replication

https://theamvj.wordpress.com/2016/08/17/how-to-manually-replicate-windows-active-directory/

 

You can use Microsoft Active Directory Replication status tool to check Replication issues or use the command line.

Active Directory Replication Status tool:

https://www.microsoft.com/en-us/download/details.aspx?id=30005

cmd:

repadmin /showrepl

————————

DCPromo Command

dcpromo

Domain controller Promotion. Used in Windows 2008 R2 and older versions to promote a server into Domain controller

dcpromo /forceremoval

Used to forcibly remove AD DS from a Domain controller.

————————

Check the replication topology

AD sites and services -> Sites -> Servers -> Expand the server -> Right click NTDS settings -> All tasks -> Check Replication Toplogy

AD replication

To manually Replicate

AD sites and services -> Sites -> Servers -> Expand the server -> NTDS settings -> On the right hand side, servers will be displayed -> Right click the server and select replicate now

AD replication 2

———————-

ad-12

———————-

Adprep.exe

Note: This is a deprecated tool in Windows 2012 server.

What is the use of ADprep.exe ?

Adprep.exe has parameters that perform a variety of operations that help prepare an existing Active Directory environment for a domain controller that runs a later version of Windows Server. Not all versions of Adprep.exe perform the same operations, but generally the different types of operations that Adprep.exe can perform include the following:

  • Updating the Active Directory schema
  • Updating security descriptors
  • Modifying access control lists (ACLs) on Active Directory objects and on files in the SYSVOL shared folder
  • Creating new objects, as needed
  • Creating new containers, as needed

For example, if your organization has domain controllers that run Windows 2000 Server or Windows Server 2003, before you can add a new domain controller that runs Windows Server 2008 R2 or upgrade one of the existing domain controllers to Windows Server 2008 R2, you must run Adprep.exe from the \Support\Adprep folder of the Windows Server 2008 R2 installation DVD on your existing domain controllers.

If you currently have domain controllers that run Windows Server 2003 and you want to add domain controllers that run Windows Server 2008 R2, you only have to run Adprep.exe from the Windows Server 2008 R2 operating system disk. It is not necessary to run the version from Windows Server 2008 because the version in Windows Server 2008 R2 includes all the changes from previous versions.

Backups

Differential backup
A process that backs up only files that have changed since the last full backup.

Incremental backup
A process that backs up only those files that have changed since the last backup, whether it is a full or incremental backup.

—————

Active Directory Federation Services (AD FS)

AD FS is used to implement and manage single sign-on. Ex: ADFS can be used to implement single sign-on for multiple websites.

Active Directory Domain Services (AD DS)

ADDS is used to create domains and domain controller.

Active Directory Ceritificate Services (AD CS)

ADCS is used to create and manage public key certificate.

Active Directory LightWeight directory Services (AD LDS)

AD LDS provides similar functionality as AD DS but without the AD DS restrictions such as Domain or Domain controller.

Active Directory Rights Management System (AD RMS)

AD RMS is to manage sensitive data. It used to define who can open, modify, print, forward word application, docs, email clients etc.

Active Directory Users and Computers (AD UC)

AD UC is used to manage users and computers

Active Directory Sites and Services (AD SS)

AD SS is used to manage sites (child domain), replication in a domain.


Important AD related stuffs

  1. Active Directory database garbage collection process 

Garbage collection is a housekeeping process that is designed to free space within the Active Directory database. In Windows 2000 and in the original release version of Windows Server 2003, this process runs on every domain controller in the enterprise with a default lifetime interval of 12 hours.

Tombstone

Deleted AD object is called Tombstone.

When an object is deleted, it is not removed from the Active Directory database. Instead, the object is instead marked for deletion at a later date. This mark is then replicated to other domain controllers. Once the Tombstone crosses it end of Life time, it is permanently deleted.

  • Default Tombstone lifetime (TSL) is 60 days for Windows 2000 & 2003.
  • Default Tombstone lifetime (TSL) is 180 days for Windows 2003 SP2 and above.
  • Tombstone lifetime (TSL) value can be increased or decreased. You can edit this value in ADSI edit (ADSIedit.msc). Navigate to CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration, DC=domain, DC=com. Right-click the CN=Directory Service object and select Properties.

https://technet.microsoft.com/library/cc949124(ws.10).aspx

Phantom Object

Phantom objects are created if an object is deleted in Active Directory but there are still references or links to the object.

Phantom objects may also be created if a local domain group has a user from another domain as a member.

If a domain controller has the infrastructure role and is simultaneously the global catalog server,  phantom objects are never created.

  • If the tombstone period of the object runs out AD removes it completely. However if there is a reference to the object still, the object remains in AD and becomes a phantom object.
  • Phantom objects are low-level database objects that Active Directory uses for internal management operations. Two common instances of phantom objects are:
    – Objects that have been deleted (tombstone passed but object still present).
    – A domain local group has a member user from another domain in the Active Directory forest.
  • Phantom objects are special kinds of internal database tracking objects that cannot be viewed through any LDAP interface.
  • Deleted objects that have exceeded the tombstone period will remain in AD, the object itself is deleted and a phantom object is created in its place. Phantom objects get automatically removed by the infrastructure master when the references are removed.

Lingering Object

When restoring a backup file, Active Directory generally requires that the backup file be no more than 180 days old. (The limit is 60 days if the AD forest was originally created with Windows Server 2000.) If attempt to you restore an backup that is expired, you may encounter problems due to “lingering objects”.

What Are Lingering Objects?

A lingering object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than than 180 days ago.

When a DC deletes an object it replaces the object with a tombstone object. The tombstone object is a placeholder that represents the deleted object. When replication occurs, the tombstone object is transmitted to the other DCs, which causes them to delete the AD object as well.

Tombstone objects are kept for 180 days, after which they are garbage-collected and removed.

If a DC is restored from a backup that contains an object deleted elsewhere, the object will re-appear on the restored DC. Because the tombstone object on the other DCs has been removed, the restored DC will not receive the tombstone object (via replication), and so it will never be notified of the deletion. The deleted object will “linger” in the restored local copy of Active Directory.

How to Remove Lingering Objects ?

You can manually remove lingering objects using the console utility console utility REPADMIN.EXE. REPADMIN.EXE can be found in the Windows Server 2003 Support Tools, located on the Windows 2003 Server CD/DVD. (It is standard on Windows Server 2008-2016.) Use the option /removelingeringobjects. See below for more information.

Go to below location for the steps and tools to remove lingering objects in AD

https://blogs.technet.microsoft.com/askds/2014/09/15/remove-lingering-objects-that-cause-ad-replication-error-8606-and-friends/

ad-objects

2. AD Replication

There are 2 types of AD Replication: Intrasite and Intersite replication

Intrasite replication:

It is replication within a site. The default replication interval is every 15 seconds.

Intersite replication:

It is replication between sites. The default replication interval is every 3 hours.

  • Replication between Bridge Head servers across sites.

 

Windows File Replication Services (FRS)

Important read the contents in the link:

https://technet.microsoft.com/en-in/library/cc781582%28v=ws.10%29.aspx

File Replication service (FRS) is a technology that replicates files and folders stored in the SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared folders. When FRS detects that a change has been made to a file or folder within a replicated shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a multimaster replication service, any server that participates in replication can generate changes. In addition, FRS can resolve file and folder conflicts to make data consistent among servers.

———————

Windows Distributed File Systems (DFS)

https://technet.microsoft.com/en-in/library/cc782417%28v=ws.10%29.aspx

Step-by-step guide:

Windows 2000 server: https://msdn.microsoft.com/en-us/library/bb727150.aspx

Windows 2008 server: https://technet.microsoft.com/en-us/library/cc732863%28v=ws.10%29.aspx

Distributed File System (DFS) allows administrators to group shared folders located on different servers by transparently connecting them to one or more DFS namespaces. A DFS namespace is a virtual view of shared folders in an organization. Using the DFS tools, an administrator selects which shared folders to present in the namespace, designs the hierarchy in which those folders appear, and determines the names that the shared folders show in the namespace. When a user views the namespace, the folders appear to reside on a single, high-capacity hard disk. Users can navigate the namespace without needing to know the server names or shared folders hosting the data. DFS also provides many other benefits, including fault tolerance and load-sharing capabilities, making it ideal for all types of organizations.

FRS and DFS replication: Windows Active Directory domain controllers use FRS to replicate system policy and login scripts for Windows servers and clients. However, because system policy and login script replication is performed by Active Directory replication, it is not affected by the following information. However, you can use DFS to replicate across domain controllers.


Access Control

ACL vs DACL vs SACL

An access control list (ACL) is a list of access control entries (ACE). Each ACE in an ACL identifies a trustee and specifies the access rights allowed, denied, or audited for that trustee. The security descriptor for a securable object can contain two types of ACLs: a DACL and a SACL.

A discretionary access control list (DACL) identifies the trustees that are allowed or denied access to a securable object. When a process tries to access a securable object, the system checks the ACEs in the object’s DACL to determine whether to grant access to it. If the object does not have a DACL, the system grants full access to everyone. If the object’s DACL has no ACEs, the system denies all attempts to access the object because the DACL does not allow any access rights. The system checks the ACEs in sequence until it finds one or more ACEs that allow all the requested access rights, or until any of the requested access rights are denied. For more information, see How DACLs Control Access to an Object. For information about how to properly create a DACL, see Creating a DACL.

A system access control list (SACL) enables administrators to log attempts to access a secured object. Each ACE specifies the types of access attempts by a specified trustee that cause the system to generate a record in the security event log. An ACE in a SACL can generate audit records when an access attempt fails, when it succeeds, or both. For more information about SACLs, see Audit Generation and SACL Access Right.

………………..

If a Windows object does not have a discretionary access control list (DACL), the system allows everyone full access to it. If an object has a DACL, the system allows only the access that is explicitly allowed by the access control entries (ACEs) in the DACL. If there are no ACEs in the DACL, the system does not allow access to anyone. Similarly, if a DACL has ACEs that allow access to a limited set of users or groups, the system implicitly denies access to all trustees not included in the ACEs.


Note: Info obtained from multiple sources.

AD partitions:

Directory Partitions

https://araihan.wordpress.com/2011/05/28/microsoft-active-directory-best-practice/


Trust

You can use the New Trust Wizard or the Netdom command-line tool to create four types of trusts: external trusts, realm trusts, forest trusts, and shortcut trusts. The following table describes these trust types.

trust-types

One thought on “Windows AD

  1. Pingback: AD Link | Yogesh

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s