UNDERSTANDING ACTIVE DIRECTORY FOR BEGINNERS – PART 2

This is the documentation for the Online discussion we conducted on Active Directory.

Recording of this session is available on YouTube
Here we discussed about.

  • ACID Property of a Database
  • Active Directory Sites and Services
  • Active Directory Replication
  • Domain Controller
  • Global Catalog Server
  • Logical and Physical Components of Active Directory
  • FSMO Roles
  • Domain Functional Level
  • Forest Functional Level
  • Installing Active Directory (Windows Server 2012)

ACID Property of a Database

In computer science, ACID (atomicity, consistency, isolation, durability) is a set of properties that guarantee that database transactions are processed reliably.
In the context of databases, a single logical operation on the data is called a transaction

ACID Property of a Database

Atomicity

Atomicity requires that each transaction is “all or nothing”: if one part of the transaction fails, the entire transaction fails, and the database state is left unchanged.

Consistency

The consistency property ensures that any transaction will bring the database from one valid state to another.

Isolation

The isolation property ensures that the concurrent execution of transactions results in a system state that could have been obtained if transactions are executed serially, i.e. one after the other. Each transaction has to execute in total isolation.

Durability

Durability means that once a transaction has been committed, it will remain so, even in the event of power loss, crashes, or errors. Even if the database crashes it can be restored.

Active Directory Sites

  • Sites in Active Directory represent the physical structure, or topology, of your network.
  • Managed using Active Directory Sites and Services Console.
  • Each Sites are connected by a Site link and each Site link has a cost associated.

Active Directory Replication

  • Intrasite Replication
  • Intersite Replication

Intrasite Replication

  • Happens between DC’s in the same site.
  • Replication happens 15 seconds after a change.
  • This happens automatically.
  • Intrasite topology is automatically generated by KCC (Knowledge consistency checker) which runs on every DC.

Intersite Replication

  • This is not created automatically. Administrator makes.
  • Active Directory will automatically pick a Domain Controller from each site to act as a Bridgehead server.
  • Bridgehead servers replicate changes between the sites. This is much efficient than every DCs attempting to replicate to other sites.
  • When a change happens to the bridgehead server change is replicated to all other domain controllers inn that site.
  • Administer can manually select the bridgehead server, they are called preferred bridgehead server. If they are selected manually and if those DCs aren’t available no replication will occur.
  • Each of these sites are connected each other by Site Link.

Site Link

  • Determine the schedule of replication.
  • Allows to configure a cost
  • Cost determines at what priority these links should be used. Lower cost, higher priority
  • KCC running on bridge will act as ISTG (InterSite Topology Generator.
  • Whenever a site link goes down, KCC creates a new InterSite Replication Topology. KCC runs every 15 mins.

Transport Protocol

  • RPC over IP
  • SMTP

RPC over IP

  • Supports every type of data replication required for Active Directory
  • Synchronous
  • Used when the connectivity is reliable.
  • Always used for Intrasite replication.

SMTP

  • Cannot be used to replicate every data replication required for Active Directory, for ex. It cannot do file replication. Files include – Login Scripts and Group Policies.
  • Asynchronous
  • Used when the connectivity is unreliable.
  • Please refer this technet for more details.

RPC over IP is normally used in the real world.

Active Directory Replication Database prospective
Active Directory Replication Database prospective

Domain Controller

  • Server which has Active Directory installed
  • Uses LDAP port 389 for communication

Global Catalog Server

  • The global catalog is a domain controller that contains a searchable, partial representation of every object in every domain in a multi domain Active Directory forest.
  • Uses non standard LDAP port 3268 for communication.

Lets review AD Database Layers again

AD Database Layers

ESE Layer

  • JetEngine Database Engine

Database Layer

  • Schema Partition
  • Config Partition
  • Domain Partition
  • Application Partition

Core Directory System Agent (DSA) Layer

  • The directory service component that runs as Ntdsa.dll on each domain controller, providing the interfaces through which services and processes gain access to the directory database.

LDAP Layer

  • The primary interface for AD DS access. Directory clients use LDAP v3 to connect to the DSA through the LDAP interface. The LDAP interface is part of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2.

Replication Layer

  • The replication management interface.

SAM Layer

  • Proprietary interface for connecting to the DSA on behalf of clients that run Windows NT 4.0 or earlier.

Logical and Physical Components of Active Directory

Logical Components

  • Domain
  • OU
  • Objects (not every objects)
  • Global Catalog
  • Tree
  • Forest
  • Group Policy

Physical Components

  • Domain Controller
  • Sites
  • Site Link

Multi Master Replication

  • Multi-master replication is a method of database replication which allows data to be stored by a group of computers, and updated by any member of the group.

Single Master Replication

  • Single-master replication is a method of database replication which allows data to be stored by a group of computers, but can only be updated by one member of the group.

Active Directory works on Multi Mastered Replication Model except for few.

FSMO Roles
Flexible Single Master Operations Roles

Schema Master Role:

  • The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest.

Domain naming master Role:

  • The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest.

Infrastructure Master Role:

  • When an object in one domain is referenced by another object in another domain, it represents the reference by the SID and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object’s SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain.
  • Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest.

Relative ID (RID) Master Role:

  • The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC’s allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain’s RID master. The domain RID master responds to the request by retrieving RIDs from the domain’s unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.

PDC Emulator Role:

  • The PDC emulator is necessary to synchronize time in an enterprise. At any one time, there can be only one domain controller acting as the PDC Emulator in each domain.
  • The PDC emulator role also does the following functions:
  • Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator.
  • Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator before a bad password failure message is reported to the user.
  • Account lockout is processed on the PDC emulator.
  • Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do so by the administrator.
  • The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.

More detailed documentation can be reviewed here:

https://www.petri.co.il/understanding\_fsmo\_roles\_in\_ad.htm

They are 5 FSMO Roles in total, 2 Forest wide and 3 Domain wide.

Domain Functional Level

  • Active Directory has functional levels at the domain and forest levels which determine which Active Directory features are available. The higher the functional level the more features available.
  • They also determine which Windows Server operating systems you can run on domain controllers in the domain or forest. However, functional levels do not affect which operating systems you can run on workstations and member servers that are joined to the domain or forest.

The different domain functional levels are:

Mixed or Interim

  • Upgraded from an NT4 domain and may have some domain controllers that are still NT4.

Windows 2000 native

  • Gives basic Active Directory functionality

Supported domain controller operating systems in that domain.

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000

Windows Server 2003

  • Allows the computer name of a domain controller to be changed.
  • Adds last login time stamp to each user account
  • Adds UserPassword to iNetOrgPerson object. This is used when migrating from a 3rd party directory service. It allows the 3rd party password to be stored in Active Directory.
  • Constrained delegation.

Supported domain controller operating systems in that domain.

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003

Windows Server 2008

  • DFS for replication of SysVol share.
  • Advanced Encryption System (AES) for Kerberos
  • Additional last login details. Adds attributes like number of failed login attempts.
  • Fine-grained password. Allows multiple password policies to be defined in the same domain.

Supported domain controller operating systems in that domain.

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008

Windows Server 2008 R2

  • Authentication Mechanism Assurance. Adds details to the Kerberos ticket about how it was authenticated, e.g., if a SmartCard was used to authenticate the user.
  • Automatic SPN (Service Principal Names) management.

Supported domain controller operating systems in that domain.

  • Windows Server 2012
  • Windows Server 2008 R2

Windows Server 2012

  • The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level. For more information, see Support for claims, compound authentication, and Kerberos armoring.

Supported domain controller operating systems in that domain.

  • Windows Server 2012

Forest functional level

Windows 2000

  • Basic Active Directory features

Supported domain controller operating systems in that forest.

  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003
  • Windows 2000

Windows Server 2003

  • Forest Trust: Allows a trust relationship between two forests. A forest trust allows resources to be shared between the forests.
  • Rename Domains: This allows you to change a domain name.
  • Improved Knowledge Consistency Checker (KCC)
  • Allows Active Directory objects to be created with an expiration time.
  • Convert INetOrgPerson to user: Allows an INetOrgPerson object to be converted to a user object and vice versa.
  • The INetOrgPerson object is used when importing or exporting users from Active Directory to a 3rd party directory system.
  • This forest level is required if you want to start using Windows Server 2008 Read Only Domain Controllers in Active Directory.
  • Deactivation of attributes: Once you make a change to the schema of Active Directory it can’t be deleted. Deactivation allows you to deactivate attributes in the Schema that are no longer required.

Supported domain controller operating systems in that forest.

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008
  • Windows Server 2003

Windows Server 2008

  • All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. All domains that are subsequently added to the forest, however, operate at the Windows Server 2008 domain functional level by default.

Supported domain controller operating systems in that forest.

  • Windows Server 2012
  • Windows Server 2008 R2
  • Windows Server 2008

Windows Server 2008 R2

  • All of the features that are available at the Windows Server 2003 forest functional level, plus the following features:
  • Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running.
  • All domains that are subsequently added to the forest will operate at the Windows Server 2008 R2 domain functional level by default.
  • If you plan to include only domain controllers that run Windows Server 2008 R2 in the entire forest, you might choose this forest functional level for administrative convenience. If you do, you will never have to raise the domain functional level for each domain that you create in the forest.

Supported domain controller operating systems in that forest.

  • Windows Server 2012
  • Windows Server 2008 R2

Windows Server 2012

  • All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features.

Supported domain controller operating systems in that forest.

  • Windows Server 2012

Installing Active Directory (Windows Server 2012)

Review the recording and for documentation please refer.

https://social.technet.microsoft.com/wiki/contents/articles/12370.step-by-step-guide-for-setting-up-windows-server-2012-domain-controller.aspx

Please find the slides here.
Thanks you all for spending your valuable time.

NOTE:

This is a copy of the post made on Road2Master Blog.

https://beta.road2master.com/Learning/understanding-active-directory-for-beginners-part-2/

Comments

  • Anonymous
    January 01, 2003
    Awesome notes...

  • Anonymous
    January 01, 2003
    The comment has been removed

  • Anonymous
    January 01, 2003
    SMTP can't replicate the domain naming context/partition,   technet.microsoft.com/.../bb742457.aspx Good series.

  • Anonymous
    January 01, 2003
    @ Mike - Thanks for the input.

  • Anonymous
    May 09, 2013
    Wonderful work i will keep study this and let you know if i had any dowbt

  • Anonymous
    January 16, 2014
    Nice blog to read out...........

  • Anonymous
    March 30, 2014
    The comment has been removed

  • Anonymous
    May 05, 2014
    Good one

  • Anonymous
    May 27, 2014
    Awasome Post Sir,

  • Anonymous
    August 05, 2014
    good

  • Anonymous
    September 26, 2014
    Awesome...bro.

    I really appreciate your effort