Dark Developments Where Knowledge Meets Power


AD – Active Directory, What is it ?


What is it ?

Active Directory enables administrators to force policies and settings in a company network.  You can think of AD as a certain catalogue or a book that holds all the information regarding users, computers, resources, etc. but also settings for the company domain. It makes it possible to provide access and set permission based on that information stored in the catalogue by using different methods like for example a security group.

The most important role of Active Directory is providing the authentication information for users, computers and the resources that are part of the network.

Forests and Domains

When installing Active Directory the first time you need to think of Domains and Forests. A forest is a security boundary. Objects in separate forests are not able to interact with each other, unless the administrators of each separate forest create a trust between them. For example, an Enterprise Administrator account for domain1.com, which is normally the most privileged account of a forest, will have, no permissions at all in a second forest named domain2.com, even if those forests exist within the same LAN, unless there is a trust in place.

A domain is a management boundary. Domains are part of a forest. The first domain in a forest is known as the forest root domain. In many small and medium organizations (and even some large ones), you will only find a single domain in a single forest. The forest root domain defines the default namespace for the forest. For example, if the first domain in a new forest is named domain1.com, then that is the forest root domain. If you have a business need for a child domain, for example - a branch office in Chicago, you might name the child domain chi. The FQDN of the child domain would be chi.domain1.com. You can see that the child domain's name was prepended forest root domain's name. This is typically how it works. You can have disjoint namespaces in the same forest, but that's a whole separate can of worms for a different time.

In most cases, you'll want to try and do everything possible to have a single AD domain. It simplifies management, and modern versions of AD make it very easy to delegate control based on OU, which lessens the need for child domains.

Domain Names

I can name my domain whatever I want, right? Not really. dcpromo.exe, the tool that handles the promotion of a server to a DC isn't idiot-proof. It does let you make bad decisions with your naming, so pay attention to this section if you are unsure.

First of all, don't use made up TLDs like .local, .lan, .corp, or any of that other crap. Those TLDs are not reserved. ICANN is selling TLDs now, so your mycompany.corp that you're using today could actually belong to someone tomorrow. If you own mycompany.com, then the smart thing to do is use something like internal.mycompany.com or ad.mycompany.com for your internal AD name. If you use mycompany.com as an externally resolvable website, you should avoid using that as your internal AD name as well, since you'll end up with a split-brain DNS.

FSMO Roles

When a user tries to log in to a computer that is joined to AD using their AD credentials, the salted and hashed username and password combination are sent to the DC for both the user account and the computer account that are logging in. Yes, the computer logs in too. This is important, because if something happens to the computer account in AD, like someone resets the account or deletes it, you may get an error that say that a trust relationship doesn't exist between the computer and the domain. Even though your network credentials are fine, the computer is no longer trusted to log into the domain.

A server that responds to authentication or authorization requests is a Domain Controller (DC). In most cases, a Domain Controller will hold a copy of the Global Catalog. A Global Catalog (GC) is a partial set of objects in all domains in a forest. It is directly searchable, which means that cross-domain queries can usually be performed on a GC without needing a referral to a DC in the target domain. If a DC is queried on port 3268 (3269 if using SSL), then the GC is being queried. If port 389 (636 if using SSL) is queried, then a standard LDAP query is being used and objects existing in other domains may require a referral.

In general there are five functions that are needed to provide a fully functional Active Directory. The 5 roles and their function are:

  • Domain Naming Master - There is only one Domain Naming Master per forest. The Domain Naming Master makes sure that when a new domain is added to a forest that it is unique. If the server holding this role is offline, you won't be able to make changes to the AD namespace, which includes things like adding new child domains.
  • Schema Master - There is only one Schema Operations Master in a forest. It is responsible for updating the Active Directory Schema. Tasks that require this, such as preparing AD for a new version of Windows Server functioning as a DC or the installation of Exchange, require Schema modifications. These modifications must be done from the Schema Master.
  • Infrastructure Master - There is one Infrastructure Master per domain. If you only have a single domain in your forest, you don't really need to worry about it. If you have multiple forests, then you should make sure that this role is not held by a server that is also a GC holder. The infrastructure master is responsible for making sure that cross-domain references are handled properly. If a user in one domain is added to a group in another domain, the infrastructure master for the domains in question make sure that it is handled properly. This role will not function correctly if it is on a global catalog.
  • RID Master - The Relative ID Master (RID Master) is responsible for issuing RID pools to DCs. There is one RID master per domain. Any object in an AD domain has a unique Security Identifier (SID). This is made up of a combination of the domain identifier and a relative identifier. Every object in a given domain has the same domain identifier, so the relative identifier is what makes objects unique. Each DC has a pool of relative IDs to use, so when that DC creates a new object, it appends a RID that it hasn't used yet. Since DCs are issued non-overlapping pools, each RID should remain unique for the duration of the life of the domain. When a DC gets to ~100 RIDs left in its pool, it requests a new pool from the RID master. If the RID master is offline for an extended period of time, object creation may fail.
  • PDC Emulator - Finally, we get to the most widely misunderstood role of them all, the PDC Emulator role. There is one PDC Emulator per domain. If there is a failed authentication attempt, it is forwarded to the PDC Emulator. The PDC Emulator functions as the "tie-breaker" if a password was updated on one DC and hasn't yet replicated to the others. The PDC Emulator is also the server that controls time sync across the domain. All other DCs sync their time from the PDC Emulator. All clients sync their time from the DC that they logged in to. It's important that everything remain within 5 minutes of each other, otherwise Kerberos breaks and when that happens, everyone cries.

The important thing to remember is that the servers that these roles run on is not set in stone. It's usually trivial to move these roles around, so while some DCs do slightly more than others, if they go down for short periods of time, everything will usually function normally.

Primary and Secondary DC’s

The concept of PDCs and BDCs died with Windows NT4. If you create a secondary DC it will also be capable of offering authentication services. It’s best practice to have atleast two DCs per domain. These DCs should both have a copy of the GC and should both be DNS servers so that the network resources (Clients, Computers,..) are still able to query the DC.

The DCs belonging to the same domain in the same site will replicate their data to each other at a 15 second interval. Do note that there are urgent event that trigger replication after the data has been changed. Think things like password resets, account lockouts.

How can clients find the domain ?

Client and other resources can find the DCs by using DNS. It’s the most critical role that needs to function properly to have a functioning AD. Do note that while it is possible to use any type of DNS service it’s best to stick with using AD integrated DNS zones to avoid any DNS related problems.

When adding a client to the domain the first thing you always need to check is the DNS servers that client is using. Make sure it’s using the in house DNS servers because when trying to add the client to the domain it will try to resolve the domain name to locate the domain controller.

Each FSMO role will have a SRV DNS record that will point to client to the correct DC.

  • _ldap._tcp.<DNSDomainName> - Enables a client to locate a W2K domain controller in the domain named by <DNSDomainName>. A client searching for a domain controller in the domain dpetri.net would query the DNS server for _ldap._tcp.domain1.com.
  •  _ldap._tcp.<SiteName>._sites.<DNSDomainName> - Enables a client to find a W2K domain controller in the domain and site specified (e.g., _ldap._tcp.lab._sites. domain1.com for a domain controller in the Lab site).
  • _ldap._tcp.pdc._ms-dcs.<DNSDomainName> - Enables a client to find the PDC flexible single master object (FSMO) role holder of a mixed-mode domain. Only the PDC of the domain registers this record.
  •  _ldap._tcp.gc._msdcs.<DNSTreeName> - Enables a client to find a Global Catalog (GC) server. Only domain controllers serving as GC servers for the tree will register this name. If a server ceases to be a GC server, the server will deregister the record.
  •  _ldap._tcp. ._sites.gc._msdcs.<DNSTreeName> - Enables a client to find a GC server in the specified site (e.g., _ldap._tcp.lab._sites.gc._msdcs. domain1.com).
  •  _ldap._tcp.<DomainGuid>.domains._msdcs.<DNSTreeName> - Enables a client to find a domain controller in a domain based on the domain controller’s globally unique ID. A GUID is a 128-bit (8 byte) number that generates automatically for referencing Active Directory objects.
  • <DNSDomainName> - Enables a client to find a domain controller through a normal Host record.

Installation and backup of Active Directory.

More information regarding installation of Active Directory can be found here darkdevelopments.org/2011/08/30/win2008-install-active-directory/. Regarding the backup procedure of Active Directory more information can be found here darkdevelopments.org/2011/07/18/db-backuprecovery-notes-part1-active-directory-2/

[1] serverfault.com/questions/402580/what-is-active-directory-and-how-does-it-work
[2] www.petri.co.il/active_directory_srv_records.htm

Print Friendly
Comments (0) Trackbacks (0)

No comments yet.

Leave a comment

No trackbacks yet.