Active Directory Domain Services
Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.
•
•
•
•
•
Auditing. Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes. Fine-Grained Passwords. Password policies can be configured for distinct groups within the domain. No longer does every account have to use the same password policy within the domain. Read-Only Domain Controller. A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of the domain controller cannot be guaranteed, such as branch offices where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server. The use of Read-Only Domain Controllers (RODCs) prevents changes made at branch locations from potentially polluting or corrupting your AD forest via replication. RODCs also eliminate the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location. Restartable Active Directory Domain Services. Active Directory Domain Services can be stopped and maintained. Rebooting the domain controller and restarting it in Directory Services Restore Mode is not required for most maintenance functions. Other services on the domain controller can continue functioning while the directory service is offline. Database Mounting Tool. A snapshot of the Active Directory database can be mounted using this tool. This allows a domain administrator to view the objects within the snapshot to determine the restore requirements when necessary.
Group Policy is a feature of the Microsoft Windows NT family of operating systems. Group Policy is a set of rules which control the working environment of user accounts and computer accounts. Group Policy provides the centralized management and configuration of operating systems, applications and users' settings in an Active Directory environment. In other words, Group Policy in part controls what users can and cannot do on a computer system. Although Group Policy is more often seen in use for enterprise environments, it is also common in schools, smaller businesses and other kinds of smaller organizations. Group Policy is often used to restrict certain actions that may pose potential security risks, for example: to block access to the Task Manager, restrict access to certain folders, disable the downloading of executable files and so on.
As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users. IntelliMirror technologies relate to the management of disconnected machines or roaming users and include roaming user profiles, folder redirection and offline files. Group Policy Objects do not necessarily need Active Directory; Novell has supported roaming profiles since Windows 2000 with their ZENworks Desktop Management software package, and starting with Windows XP also supports group policy objects.
GPO (GROUP POLICY OBJECT) REFRESH
The Group Policy client will refresh the policy settings for workstations and servers on a "pull" model - every 90 minutes (by default) (Domain Controllers every 5 mintues) with a random +30 min offset. During this refresh period it will collect the list of GPOs appropriate to the machine and logged on user (if any). The Group Policy client will then apply those GPOs which will thereafter affect the behavior of policy-enabled operating system components. Some settings however are only applied during reboot and/or logon of the user to the computer (e.g. Software Installation for computers and drive mapping for users). Since Windows XP, a refresh of the group policy can be manually initiated by the user using the "gpupdate" command from a command prompt.[1]
[EDIT] LOCAL GROUP POLICY
Local Group Policy (LGP) is a more basic version of the Group Policy used by Active Directory. In versions of Windows before Windows Vista, LGP can configure the Group Policy for a single local computer, but unlike Active Directory Group Policy, can not make policies for individual users or groups. It also has far fewer options overall than Active Directory Group Policy. The specific-user limitation can be overcome by using the Registry Editor to make changes under the HKCU or HKU keys. LGP simply makes registry changes under the HKLM key, thus affecting all users. The same changes can be made under HKCU or HKU to only affect certain users. Microsoft has more information on using the Registry Editor to configure Group Policy available on TechNet.[2] LGP can be used on a computer on a domain, and it can be used on Windows XP Home Edition. Windows Vista supports Multiple Local Group Policy objects (MLGPO), which allows setting local Group Policy for individual users.[3]
[EDIT] PROCESSING ORDER FOR POLICY SETTINGS
Group policies are processed in the following order:[4] 1. LOCAL GROUP POLICY OBJECTS - THIS APPLIES TO ANY SETTINGS IN THE COMPUTER'S LOCAL POLICY (ACCESSED BY RUNNING GPEDIT.MSC). PREVIOUS TO WINDOWS VISTA, THERE WAS ONLY ONE
LOCAL GROUP POLICY STORED PER COMPUTER. THERE ARE NOW INDIVIDUAL GROUP POLICIES SETTABLE PER ACCOUNT OF A WINDOWS VISTA AND 7 MACHINE.[5] 2. SITE - NEXT THE COMPUTER PROCESSES ANY GROUP POLICIES THAT ARE APPLIED TO THE SITE THE COMPUTER IS CURRENTLY IN. IF MULTIPLE POLICIES ARE LINKED TO A SITE THESE ARE PROCESSED IN THE ORDER SET BY THE ADMINISTRATOR USING THE LINKED GROUP POLICY OBJECTS TAB, POLICIES WITH THE LOWEST LINK ORDER ARE PROCESSED LAST AND HAVE THE HIGHEST PRECEDENCE. 3. DOMAIN - ANY POLICIES APPLIED AT THE DOMAIN LEVEL (DEFAULT DOMAIN POLICY) ARE PROCESSED NEXT. IF MULTIPLE POLICIES ARE LINKED TO A DOMAIN THESE ARE PROCESSED IN THE ORDER SET BY THE ADMINISTRATOR USING THE LINKED GROUP POLICY OBJECTS TAB, POLICIES WITH THE LOWEST LINK ORDER ARE PROCESSED LAST AND HAVE THE HIGHEST PRECEDENCE. 4. ORGANIZATIONAL UNIT - LAST GROUP POLICIES ASSIGNED TO THE ORGANIZATIONAL UNIT THAT CONTAINS THE COMPUTER OR USER ARE PROCESSED. IF MULTIPLE POLICIES ARE LINKED TO AN ORGANIZATIONAL UNIT THESE ARE PROCESSED IN THE ORDER SET BY THE ADMINISTRATOR USING THE LINKED GROUP POLICY OBJECTS TAB, POLICIES WITH THE LOWEST LINK ORDER ARE PROCESSED LAST AND HAVE THE HIGHEST PRECEDENCE.
•
INHERITANCE - INHERITANCE CAN BE BLOCKED OR ENFORCED TO CONTROL WHAT POLICIES ARE APPLIED AT EACH LEVEL. IF A HIGHER LEVEL ADMINISTRATOR (ENTERPRISE ADMINISTRATOR) CREATES A POLICY THAT HAS INHERITANCE BLOCKED BY A LOWER LEVEL ADMINISTRATOR (DOMAIN ADMINISTRATOR) THIS POLICY WILL STILL BE PROCESSED.
Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting configured then the value of the Group Policy Setting will take precedence.
[EDIT] GROUP POLICY PREFERENCES
They are a set of group policy setting extensions that were previously known as PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[6] Group Policy Preferences adds a number of new configuration items. These items also have number of additional targeting options that can be used to granularly control the application of these setting items.
Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003 and Windows Vista with the addition of the Client Side Extensions (also known as CSE).[7] [8] [9] [10] [11] [12] Client Side Extensions are now included in Windows Server 2008, Windows 7 and Windows Server 2008 R2.
[EDIT] GROUP POLICY MANAGEMENT CONSOLE
Originally, Group Polices were modified using the Group Policy Edit tool that was integrated with Active Directory Users and Computers Microsoft Management Console (MMC) snap-in but it was later split into a separate MMC snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote Server Administration Tools for Windows Vista and Windows 7.[13][14] [15] [16]
[EDIT] ADVANCED GROUP POLICY MANAGEMENT
Microsoft has also released a tool to make changes to Group Policy called Advanced Group Policy Management [17] (a.k.a. AGPM). This tool available for any organisation that has licensed the Microsoft Desktop Optimization Pack (a.k.a. MDOP). This advanced tools allow administrators to have a check in/out process for modification Group Policy Objects; track changes to Group Policy Objects and implement approval workflows for changes to Group Policy Objects. To use this software you must license all of your windo
DORA
WHEN WE INSTALL A DHCP SERVER INTO OUR NETWORK THEN DHCP SERVER WORKS ON THE BASIS OF DORA PROCESS FIRST DHCP SERVER SENDS A HELLO MESSAGE IN TO THE NETWORK TO DISCOVER THE CLIENTS PC AND WHEN ANY CLIENT PC FOUND IN THE NETWORK THEN , DHCP SERVER OFFERS THE IP TO CLIENT PC. WHEN CLIENT PC SELECT ANY IP FROM DHCP SERVER THEN CLIENT PC REQUEST FOR SELECTED IP TO DHCP SERVER THEN DHCP SERVER PROVIDE THAT IP TO CLIENT PC AND BOTH SEND ACKONLEDGEMENT TO EACH OTHER. THIS PROCESS IS CALLED DORA PROCESS ON THE BASIS OF THIS PROCESS DHCP SERVER WORKS TO PROVIDE IP'S DYNAMICALLY TO CLIENT PC'S IN NETWORK
THIS PROCESS OF ASSIGNING THE IP ADDRESSES BY THE DHCP SERVER ALSO KNOWN AS DORA (DISCOVER OFFER REQUEST AND ACKNOWLEDGEMENT). ) CLIENT MAKES A UDP BROADCAST TO THE SERVER ABOUT THE DHCP DISCOVERY. 2) DHCP OFFERS TO THE CLIENT. 3) IN RESPONSE TO THE OFFER CLIENT REQUESTS THE SERVER. 4)SERVER RESPONDS ALL THE IP ADD/MASK/GTY/DNS/WINS INFO ALONG WITH THE ACKNOWLEDGEMENT PACKET. WHEN THE TERM "BROADCAST" IS USED THERE ARE TWO TYPES OF BROADCASTS: 1) NETWORK LAYER BROADCAST AND 2) DATALINK LAYER BROADCAST. FOR INTERNET PROTOCOL THE STANDARD BROADCAST DESTINATION ADDRESS IS 255.255.255.255. FOR ETHERNET THE BROADCAST DESTINATION ADDRESS IS FF:FF:FF:FF:FF:FF. YOU HAVE TO THINK OF THE DORA PROCESS IN TERMS OF ENCAPSULATION AND DECAPSULATION AS WELL AS SWITCH BEHAVIOR WITH FRAMES IT RECEIVES. SO LET'S SAY YOU'VE GOT TWO COMPUTERS A CLIENT HOST AND A SERVER HOST. THE CLIENT HOST IS THE DHCP CLIENT AND THE SERVER HOST IS THE DHCP SERVER. LET'S CALL THE CLIENT HOST PC AND THE DHCP SERVER DHCP. NOW WHEN THE PC IS TURNED ON THE NIC HAS A MAC ADDRESS BUT NO IP ADDRESS. SO THE PC TRIES TO "DISCOVER" THE DHCP SERVER BY SENDING OUT A "DISCOVER" PACKET. IN THAT PACKET THE DESTINATION IP ADDRESS IS 255.255.255.255 AND SOURCE IP ADDRESS OF 0.0.0.0 (BECAUSE THE PC DOESN'T HAVE AN IP ADDRESS YET). THAT DISCOVER PACKET IS ENCAPSULATED INTO AN DATA LINK LAYER ETHERNET FRAME. THAT ETHERNET FRAME HAS A DESTINATION ADDRESS OF FF:FF:FF:FF:FF:FF AND THE SOURCE ADDRESS OF WHATEVER THE MAC ADDRESS OF THE PC'S NIC IS LET'S CALL IT PC:MA:CA:DD:RR:SS (I KNOW THIS IS NOT A VALID MAC ADDRESS). NOW SINCE THE DESTINATION ADDRESS IS FF:FF:FF:FF:FF:FF THE FIRST SWITCH THAT RECEIVES THE FRAME WILL BY DEFINITION SEND THAT FRAME OUT OF EVERY SINGLE SWITCH PORT EXCEPT THE SWITCH PORT THAT RECEIVED THE FRAME. SINCE THE SWITCH DOESN'T KNOW (FROM IT'S CAM TABLE) WHO FF:FF:FF:FF:FF:FF IS IT FORWARDS THE DISCOVER PACKET OUT OF EVERY SINGLE SWITCH PORT EXCEPT THE SWITCH PORT THAT RECEIVED THE FRAME. LET'S SAY THE DHCP SERVER IS DIRECTLY CONNECTED TO THE SWITCH. SO THE DHCP SERVER FIRST RECEIVES THE ETHERNET FRAME WITH THE DESTINATION ADDRESS OF FF:FF:FF:FF:FF:FF (WHICH BY DEFINITION MEANS ITSELF) AND A SOURCE
ADDRESS OF PC:MA:CA:DD:RR:SS. SO WHEN THE DHCP SERVER RECEIVES THAT DISCOVER PACKET IT REPLIES TO IT BY SENDING THE OFFER PACKET. SINCE THE DHCP SERVER HAS NO IDEA WHO WAS CONTACTING THEM (SINCE PC CURRENTLY HAS AN IP ADDRESS OF 0.0.0.0) THE OFFER PACKET HAS THE DESTINATION ADDRESS OF 255.255.255.255. BUT THE DHCP SERVER REMEMBERED THE MAC ADDRESS OF WHOEVER IT WAS TRYING TO CONTACT THEM SO THE DHCP SERVER SENDS OUT THE OFFER PACKET IN A FRAME WITH A DESTINATION ADDRESS OF PC:MA:CA:DD:RR:SS AND USES IT'S OWN SOURCE ADDRESS OF DH:CP:SE:RV:ER:MC (AGAIN I KNOW THIS IS NOT A VALID MAC ADDRESS). SO THE OFFER PACKET IS SENT FROM THE DHCP SERVER TO THE PC AS A UNICAST NOT A BROADCAST. SO THE SWITCH RECEIVES THE FRAME FROM THE DHCP SERVER AND FORWARDS IT TO THE PC WHICH RECEIVES THE OFFER PACKET. THEN THE REST OF THE DHCP PROCESS OF R AND A OCCURS. SO THAT'S WHY THE "...THE FIRST TWO MESSAGES IN THE DHCP ARE BROADCAST MESSAGES..." REFERS TO NETWORK LAYER IP BROADCAST MESSAGES (DESTINATION IP ADDRESS OF 255.255.255.255). THEN "...ONLY THE FIRST MESSAGE (THE DISCOVER MESSAGE) IS A LAN BROADCAST..." BECAUSE ONLY THE DISCOVER PACKET'S FRAME HAD THE ETHERNET DESTINATION ADDRESS OF FF:FF:FF:FF:FF:FF (THEREFORE A LAN BROADCAST) AND THE OFFER PACKET'S FRAME HAD THE ETHERNET DESTINATION ADDRESS OF PC:MA:CA:DD:RR:SS (THEREFORE A LAN UNICAST).
FSMO
INDOWS 2000/2003 MULTI-MASTER MODEL
A multi-master enabled database, such as the Active Directory, provides the flexibility of allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of conflicts that can potentially lead to problems once the data is replicated to the rest of the enterprise. One way Windows 2000/2003 deals with conflicting updates is by having a conflict resolution algorithm handle discrepancies in values by resolving to the DC to which changes were written last (that is, "the last writer wins"), while discarding the changes in all other DCs. Although this resolution method may be acceptable in some cases, there are times when conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases, it is best to prevent the conflict from occurring rather than to try to resolve it after the fact. For certain types of changes, Windows 2000/2003 incorporates methods to prevent conflicting Active Directory updates from occurring.
WINDOWS 2000/2003 SINGLE-MASTER MODEL
To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates. This is similar to the role given to a primary domain controller (PDC) in earlier versions of Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for processing all updates in a given domain. In a forest, there are five FSMO roles that are assigned to one or more domain controllers. The five FSMO roles are: Schema Master: The schema master domain controller controls all updates and modifications to the schema. Once the Schema update is complete, it is replicated from the schema master to all other DCs in the directory. To update the schema of a forest, you must have access to the schema master. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls the addition or removal of domains in the forest. This DC is the only one that can add or remove a domain from the directory. It can also add or remove cross references to domains in external directories. There can be only one domain naming master in the whole forest. Infrastructure Master: When an object in one domain is referenced by another object in another domain, it represents the reference by the GUID, the SID (for references to security principals), and the DN of the object being referenced. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master: The RID master is responsible for processing RID pool requests from all domain controllers in a particular domain. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of
a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. Each DC in a domain is allocated a pool of RIDs that it is allowed to assign to the security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC issues a request for additional RIDs to the domain's RID master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. At any one time, there can be only one domain controller acting as the RID master in the domain.
LDAP IS THE DIRECTORY SERVICE PROTOCOL THAT IS USED TO
QUERY AND UPDATE AD. LDAP NAMING PATHS ARE USED TO ACCESS AD OBJECTS AND INCLUDE THE FOLLOWING: ? DISTINGUISHED NAMES ? RELATIVE DISTINGUISHED NAMES