Some years ago, you could have been excused for thinking that selecting the right server

software for your Windows network was a tough job. Microsoft hasn’t always been the toughest
dog in the pound. On one hand Microsoft’s NT4 platform provided good integration and, more
importantly, a platform that IT managers were immediately familiar with. On the other hand,
Novell had a rock solid, lean, and world proven product in Novell Netware (4.1 or 5). The secret
at the heart of the world dominance of Novell, and the foot blocking the door of Microsoft in the
critical international corporate server market, was the inclusion of a directory service called NDS
(Novell Directory Services). Such a directory allowed for scalable and more easily managed
networks, and lent itself well to multi-office, global networks, at least it was the better alternative
to the provisions in Windows NT4.

Fig 1: Novells NDS was world class…at the time.

For those of you knew to the idea of a Directory in network terms, you can think of it as a
telephone directory, with each entry being a network object, such as a user or a printer or a
network share, rather than a piece of contact information. This information can be structured in
to logical containers, called Organisational Units (OU’s) allowing for a more manageable
environment when dealing with large numbers of users and other objects. This directory can be
duplicated and replicated across multiple servers, allowing for redundancy and a distributed
structure to be built in to the network design. This directory, like its paper based name sake, can
be searched quickly an easily, though this can be done far faster than turning the pages of the
book. Allowing for a logical structure and design allows IT Departments to apply policies to
groups of users or computers based upon the needs of the business.

Clearly, in order for Microsoft to gain global dominance in the server field, they had to rework
the server platform, and make it scalable, reliable and resilient from the ground up, and without
completely reinventing the wheel. Thus Active Directory was born.

Learning the basics

Before we begin, lets quickly cover the basics of Active Directory. Any Active Directory
installation goes hand in hand with a correctly setup DNS server running on your network. The
reliance on DNS is apparent in Windows 2000, and it’s almost impossible to run a Windows
2000 network with out it being underpinned by DNS. This is very different from the old NT
networks, which could do without, or would most likely use WINS which was a Microsoft
‘alternative’ to DNS offered up at the time. Such is the reliance on DNS, that it should be the
first point of call when fault finding an issues with AD working or replication issues.

Active Directory itself is made up of three ‘logical’ partitions, these being ‘Domain’,
‘Configuration’ and ‘Schema’. Within the file system these are stored in the NTDS.DIT on any
domain controller. The Domain partition stores information relating to the domain, while the
Configuration partition holds information relating to the forest structure. Finally the Schema
holds information on the definition of objects within the network. These can roughly be
associated, in order, with the following tools; Active Directory Users and Computers, Active
Directory Sites and Services, and ADSIEdit.

Is there a spin doctor in the house?

You’re not going to be bowled over by swathes of new features in Active Directory 2003, the
most visible new features are to be found in the management tools which, as part of the Admin
Pak, can be installed on a Windows XP machine and will work quite happily with Windows
2000. One of the most useful features of the new AD tools, for the general IT person, is the
ability to create and store queries in Active Directory Users and Computers. You can now create
queries to display users, computers, or any other object you can think of, based on pretty much
any attribute you can think of. Microsoft have wisely included some predefined criteria, for
performing the most common searches, which include; Disabled Accounts, Accounts not logged
for xx days, Username (which can be the usual starts with, ends with, or contains etc),
Description, and Expired Passwords. These queries alone should be able to help most IT folk, but
the list of objects and attributes are endless.
Fig 2: Queries let you quickly find common groups of objects

We will be covering queries in further detail in a future article. There are also significant changes
to the Group Policy management facilities of AD Users and Computers. Again, these features
will be covered in further detail in future articles.

There are also, however, several overhauls under the bonnet as well that should be given due
attention. Clearly the priority with which you regard these new features will depend squarely
upon the kind of network you have, it’s structure, and your job role.

AD/AM

One of the most interesting features of this release is in actual a separate release balancing on the
coat tails of Active Directory 2003. Active Directory / Application Mode (or ADAM to it’s
closest friends) is a separate application that should proof to be a boon to application developers
and IT Managers alike. As Active Directory is a customisable database that allows for replication
across various internet links and connections, many applications (bespoke and otherwise) can use
it to store data relating to a package and its users, as well as for authorisation of users. This
means that the programmers of such applications needn’t reinvent the wheel when it comes to
creating distributed data stores, and development cycles can be reduced. It does, however,
introduce several massive problems in turn mainly a big increase in bandwidth and big lag.
Network links between branch offices are often slow, the additional data added by such
applications can easily result in these lines crawling to halt. Even in the biggest of offices, with
the fastest of lines, replication data management can be black art, and additional replication data
is never needed. In addition to this issue is that of replication speed. In a busy office with
multiple branches (the kind of network that could well make use of such bespoke applications
running on distributed data stores such as AD) the replication of all this new data means that
none of the offices are ever going to be seeing the latest of information.
Due to these issues most application developers have turned away from using AD as an
application data store. Microsoft seeks to change that by introducing a stand alone version of
Active Directory tailored towards application data storage. ADAM is available as a download
from Microsoft and is installable on either a Windows 2003 server or a Windows XP
workstation. When installed it runs in the context of a nominated account, and as it’s separate to
Active Directory replication schedules can be configured separately. On top of that, multiple
instances of ADAM can run on the same machine, which should allow developers and others
alike to test different schema setups far more easily that before.

Fig 3: Active Directory running under XP, who would of thought it!

It should be said that Microsoft has included a new Application Directory Partition feature in
AD2003, which allows for a new fourth ‘logical’ partition, called ‘Application’. This new
partition is tailor made to store data from 3rd party AD aware programs, and means that data for
Ad aware programs can be stored outside of the main three partitions, and can have separate
replication schedules. This obviously has several of the advantages that benefit the ADAM
approach, but with ADAM you are able to run multiple instances, something which cannot be
done with a normal AD installation.

Replication improvements
a dv er ti se me n t

One of the areas that people have been most vocal about is that of replication traffic. Microsoft
have long had a reputation for bloat-ware, applications that seem to be unnecessarily large in the
file department, and they have been working hard to try to cut down on the amount of data
moved across network links in the name of AD replication.

One of the most apparent examples of the new improvements in replication techniques can be
seen in the form of Linked Value Replication. This new feature will seem logical to some, but
was much desired in the Active Directory 2000. Linked Value Replication allows single values
of multi-value attributes to be replicated between servers, so that, for example, when you add a
new member to a security group containing 1000 users, only that one new user is replicated.
Previously, all the values in multi-valued attributes where replicated, so that all 1000 members
would have had to have been replicated in order for just that one new user to be included in the
group. Even in my current small network, with three branch offices and 6 servers, this could
make a real difference. On side note, Microsoft have now removed the maximum limit of objects
within a group which was set to 5000. You can now have an infinite number of members within
a group.

With bandwidth in mind, Microsoft has also included ‘cached credentials’. Cached Credentials
allow users at remote branch offices, which have a domain controller running,, to log on even
without a connection to a Global Catalogue server. Even though modern leased line and wan
links are far more reliable than they once were and have up times rated in the area of 99.99%,
they still fail, and if you consider that a lot of small remote offices are connected via some form
of fixed DSL line you can see why anything that allowed users to get working while a line was
down would be a great boon.

One last improvement that can be grouped in to the bandwidth saving category is ‘Install of
Replica from Media”, which is, as I’m sure you would agree, a catchy title! In simple terms this
allows you install a copy of the Active Directory database via a network copy, or a CD or any
other media, rather than relying on the replication to take place across the network. Imagine, if
you will, that you are on site at a remote branch office installing a new Domain Controller. The
connection to the branch office is a low speed leased line, or possibly a form of DSL (which may
not be the most reliable of beasts), and you know that the AD replication will take some time. In
a hurry to move on you pull out a copy of the AD database on CD, or DVD, from your bag of
tricks, and install it in a matter of minutes. It would seem that we are being smothered in new
bandwidth saving features, which in all is no bad thing.

While I hope that, after reading this article, you agree with me that Active Directory 2003 has
some significant improvements over the previous version, there are still several areas where
future improvements could be made. The Active Directory is an important, and complex, part of
any network, and as such further facilities to document the layout of any Active Directory setup
would be very useful. On a more important note, better tools are needed in the area of Health
Monitoring. There are several good tools in the market for monitoring and assessing your Active
Directory installation, but these often come with a great cost. Its about time that these kind of
tools, at least basic versions of them, where a feature of even the most minimal installations.

If the current version is anything to go by, the future of Active Directory is promising.
Windows Server 2003 Active Directory and Security
questions
By admin | December 7, 2003

1. What’s the difference between local, global and universal groups? Domain local groups assign access
permissions to global domain groups for local domain resources. Global groups provide access to resources in other
trusted domains. Universal groups grant access to resources in all trusted domains.
2. I am trying to create a new universal user group. Why can’t I? Universal groups are allowed only in
native-mode Windows Server 2003 environments. Native mode requires that all domain controllers be promoted to
Windows Server 2003 Active Directory.
3. What is LSDOU? It’s group policy inheritance model, where the policies are applied to Local machines, Sites,
Domains and Organizational Units.
4. Why doesn’t LSDOU work under Windows NT? If the NTConfig.pol file exist, it has the highest priority
among the numerous policies.
5. Where are group policies stored? %SystemRoot%System32\GroupPolicy
6. What is GPT and GPC? Group policy template and group policy container.
7. Where is GPT stored? %SystemRoot%\SYSVOL\sysvol\domainname\Policies\GUID
8. You change the group policies, and now the computer and user settings are in conflict. Which
one has the highest priority? The computer settings take priority.
9. You want to set up remote installation procedure, but do not want the user to gain access over it.
What do you do? gponame–> User Configuration–> Windows Settings–> Remote Installation Services–> Choice
Options is your friend.
10. What’s contained in administrative template conf.adm? Microsoft NetMeeting policies
11. How can you restrict running certain applications on a machine? Via group policy, security settings
for the group, then Software Restriction Policies.
12. You need to automatically install an app, but MSI file is not available. What do you do? A .zap text
file can be used to add applications using the Software Installer, rather than the Windows Installer.
13. What’s the difference between Software Installer and Windows Installer? The former has fewer
privileges and will probably require user intervention. Plus, it uses .zap files.
14. What can be restricted on Windows Server 2003 that wasn’t there in previous products? Group
Policy in Windows Server 2003 determines a users right to modify network and dial-up TCP/IP properties. Users may
be selectively restricted from modifying their IP address and other network configuration parameters.
15. How frequently is the client policy refreshed? 90 minutes give or take.
16. Where is secedit? It’s now gpupdate.
17. You want to create a new group policy but do not wish to inherit. Make sure you check Block
inheritance among the options when creating the policy.
18. What is "tattooing" the Registry? The user can view and modify user preferences that are not stored in
maintained portions of the Registry. If the group policy is removed or changed, the user preference will persist in the
Registry.
19. How do you fight tattooing in NT/2000 installations? You can’t.
20. How do you fight tattooing in 2003 installations? User Configuration - Administrative Templates -
System - Group Policy - enable - Enforce Show Policies Only.
21. What does IntelliMirror do? It helps to reconcile desktop settings, applications, and stored files for users,
particularly those who move between workstations or those who must periodically work offline.
22. What’s the major difference between FAT and NTFS on a local machine? FAT and FAT32 provide no
security over locally logged-on users. Only native NTFS provides extensive permission control on both remote and local
files.
23. How do FAT and NTFS differ in approach to user shares? They don’t, both have support for sharing.
24. Explan the List Folder Contents permission on the folder in NTFS. Same as Read & Execute, but not
inherited by files within a folder. However, newly created subfolders will inherit this permission.
 25. I have a file to which the user has access, but he has no folder permission to read it. Can he
access it? It is possible for a user to navigate to a file for which he does not have folder permission. This involves simply
knowing the path of the file object. Even if the user can’t drill down the file/folder tree using My Computer, he can still
gain access to the file using the Universal Naming Convention (UNC). The best way to start would be to type the full path
of a file into Run… window.
26. For a user in several groups, are Allow permissions restrictive or permissive? Permissive, if at least
one group has Allow permission for the file/folder, user will have the same permission.
27. For a user in several groups, are Deny permissions restrictive or permissive? Restrictive, if at least
one group has Deny permission for the file/folder, user will be denied access, regardless of other group permissions.
28. What hidden shares exist on Windows Server 2003 installation? Admin$, Drive$, IPC$,
NETLOGON, print$ and SYSVOL.
29. What’s the difference between standalone and fault-tolerant DFS (Distributed File System)
installations? The standalone server stores the Dfs directory tree structure or topology locally. Thus, if a shared folder
is inaccessible or if the Dfs root server is down, users are left with no link to the shared resources. A fault-tolerant root
node stores the Dfs topology in the Active Directory, which is replicated to other domain controllers. Thus, redundant
root nodes may include multiple connections to the same data residing in different shared folders.
30. We’re using the DFS fault-tolerant installation, but cannot access it from a Win98 box. Use the
UNC path, not client, only 2000 and 2003 clients can access Server 2003 fault-tolerant shares.
31. Where exactly do fault-tolerant DFS shares store information in Active Directory? In Partition
Knowledge Table, which is then replicated to other domain controllers.
32. Can you use Start->Search with DFS shares? Yes.
33. What problems can you have with DFS installed? Two users opening the redundant copies of the file at
the same time, with no file-locking involved in DFS, changing the contents and then saving. Only one file will be
propagated through DFS.
34. I run Microsoft Cluster Server and cannot install fault-tolerant DFS. Yeah, you can’t. Install a
standalone one.
35. Is Kerberos encryption symmetric or asymmetric? Symmetric.
36. How does Windows 2003 Server try to prevent a middle-man attack on encrypted line? Time
stamp is attached to the initial client request, encrypted with the shared key.
37. What hashing algorithms are used in Windows 2003 Server? RSA Data Security’s Message Digest 5
(MD5), produces a 128-bit hash, and the Secure Hash Algorithm 1 (SHA-1), produces a 160-bit hash.
38. What third-party certificate exchange protocols are used by Windows 2003 Server? Windows
Server 2003 uses the industry standard PKCS-10 certificate request and PKCS-7 certificate response to exchange CA
certificates with third-party certificate authorities.
39. What’s the number of permitted unsuccessful logons on Administrator account? Unlimited.
Remember, though, that it’s the Administrator account, not any account that’s part of the Administrators group.
40. If hashing is one-way function and Windows Server uses hashing for storing passwords, how is
it possible to attack the password lists, specifically the ones using NTLMv1? A cracker would launch a
dictionary attack by hashing every imaginable term used for password and then compare the hashes.
41. What’s the difference between guest accounts in Server 2003 and other editions? More restrictive
in Windows Server 2003.
42. How many passwords by default are remembered when you check "Enforce Password History
Remembered"? User’s last 6 passwords.

Active Directory database file NTDS.DIT

Windows 2000 Active Directory data store, the actual database file, is %SystemRoot
%\ntds\NTDS.DIT. The ntds.dit file is the heart of Active Directory including user
accounts. Active Directory's database engine is the Extensible Storage Engine
( ESE ) which is based on the Jet database used by Exchange 5.5 and WINS. The ESE
has the capability to grow to 16 terabytes which would be large enough for 10
million objects. Back to the real world. Only the Jet database can maniuplate
information within the AD datastore.

For information on domain controller configuration to optimize Active Directory, see Optimize
Active Directory Disk Performance

The Active Directory ESE database, NTDS.DIT, consists of the following tables:

• Schema table
the types of objects that can be created in the Active Directory, relationships
between them, and the optional and mandatory attributes on each type of
object. This table is fairly static and much smaller than the data table.
• Link table
contains linked attributes, which contain values referring to other objects in
the Active Directory. Take the MemberOf attribute on a user object. That
attribute contains values that reference groups to which the user belongs.
This is also far smaller than the data table.
• Data table
users, groups, application-specific data, and any other data stored in the
Active Directory. The data table can be thought of as having rows where each
row represents an instance of an object such as a user, and columns where
each column represents an attribute in the schema such as GivenName.

From a different perspective, Active Directory has three types of data

• Schema information
definitional details about objects and attributes that one CAN store in the AD.
Replicates to all domain controllers. Static in nature.
• Configuration information
configuration data about forest and trees. Replicates to all domain
controllers. Static as your forest is.
• Domain information
object information for a domain. Replicates to all domain controllers within a
domain. The object portion becomes part of Global Catalog. The attribute
values (the actual bulk of data) only replicates within the domain.

Although GUIDs are unique, they are large. AD uses distinguished name tag ( DNT ). DNT is a
4-byte DWORD value which is incremented when a new object is created in the store. The DNT
represents the object's database row number. It is an example of a fixed column. Each object's
parent relationship is stored as a parent distinguished name tag ( PDNT ). Resolution of parent-
child relationships is optimized because the DNT and PDNT are indexed fields in the database.
For more technical info on the AD datastore and its organization, a good starting point is the
Active Directory Database Sizing document.

The size of ntds.dit will often be different sizes across the domain controllers in a domain.
Remember that Active Directory is a multi-master independent model where updates are
occuring in each of the ADs with the changes being replicated over time to the other domain
controllers. The changed data is replicated between domain controllers, not the database, so there
is no guarantee that the files are going to be the same size across all domain controllers.

Active Directory routinely performs online database defragmentation, but this is limited to the
disposal of tombstoned objects. The database file cannot be compacted while Active Directory is
mounted. An ntds.dit file that has been defragmented offline ( compacted ), can be much smaller
than the ntds.dit file on its peers. To defrag ntds.dit offline:

• Back up the Active Directory using Windows 2000 Backup. W2K backup
natively supports backing up Active Directory while online. This occurs automatically
when you select the option to back up everything on the computer in the Backup
Wizard, or independently by selecting to back up System State in the backup wizard.
• Reboot
• Select the appropriate installation from the boot menu, and press F8 to
display the Windows 2000 Advanced Options menu.
• Choose Directory Services Restore Mode and press ENTER. Press ENTER
again to start the boot process.
• Logon using the password defined for the local Administrator account in the
offline SAM.
• Click Start, Programs, Accessories, and then click Command Prompt.
• At the command prompt, run the ntdsutil command.
• When ntdsutil has started
o Type files and press ENTER.
o Type info and then press ENTER. This will display current information about
the path and size of the Active Directory database and its log files.
o Type compact to drive:\directory, and press ENTER. Be sure that the
drive specified has enough drive space for the compacted database to be
created. I know, you don't know how big the compacted version will be, but if
there is enough space for the uncompacted version, you should be OK. A
gotcha!: You must specify a directory path and if the path name has spaces,
the command will not work unless you use quotation marks

compact to "c:\my new folder"

o Type quit and press Enter.

o Type quit and press Enter to return to the command prompt. A new
compacted database named Ntds.dit can be found in the folder you specified.
• Copy the new ntds.dit file over the old ntds.dit file. You have successfully
compacted the Active Directory database. If you believe in belts and suspenders, I
would copy the old uncompacted database somewhere else before I overwrote it with
the new compacted version.
• Reboot and see if all is normal.

This is a server by server task. Monitor the size of ntds.dit and if it starts growing
and performance is slow and you can not see why either situation should apply,
consider offline defrags.
If ntds.dit gets corrupted or deleted or is missing ( can happen if the promotion process to domain
controller goes bad ), you have to manually recover it using Windows 2000 Backup. Now you did
do W2K backups right?:

• Reboot the domain controller and press F8 to display the Windows 2000
Advanced Options menu.
• Select Directory Services Restore Mode and then press ENTER.
• Select the correct installation, and then press ENTER to start the boot
process.
• Logon using the administrator account and password you specified during the
promotion process. When you ran Dcpromo.exe to install Active Directory, it
requested a password to be used for the Administrator password for Active Directory
Restore Mode. This password is not stored in Active Directory. It is stored in an NT4-
style SAM file and is the only account available when the AD is corrupted.
• Click OK. This acknowledges the warning message that you are using Safe mode.
• Click Start, Programs, Accessories, System Tools, and then click Backup.
• Select the Restore tab.
• Click the + symbol next to the following items to expand them:
o File
o Media Created
o System Drive
o Winnt
o NTDS
• Click the NTDS folder to display the files in the folder.
• Click to select the ntds.dit check box.
• Leave the Restore files to box set to Original Location. This check box provides
the option to restore to an alternative location. If you restore to an alternative
location, you will have to copy the ntds.dit file into the %SystemRoot%\ntds folder.
• Click Start Restore.

To move a database or log file :

• Reboot the domain controller and press F8 to display the Windows 2000
Advanced Options menu.
• Select Directory Services Restore Mode and then press ENTER.
• Select the correct installation, and then press ENTER to start the boot
process.
• Logon using the administrator account and password you specified during the
promotion process. When you ran Dcpromo.exe to install Active Directory, it
requested a password to be used for the Administrator password for Active Directory
Restore Mode. This password is not stored in Active Directory. It is stored in an NT4-
style SAM file and is the only account available when the AD is corrupted.
• Start a command prompt, and then type ntdsutil.exe .
• At a Ntdsutil prompt, type files.
• At the File Maintenance prompt
o To move a database, type move db to %s
where %s is the drive and folder where you want the database moved.
o To move log files, type move logs to %s
where %s is the drive and folder where you want the log files moved.
o To view the log files or database, type info.
 o To verify the integrity of the database at its new location, type
integrity.
o Type quit
o Type quit to return to a command prompt.
• Restart the computer in Normal mode.

When you move the database and log files, you must back up the domain controller.

DHCP
In the dawn of the Internet revolution, the most common way to get connected was
to use a dial-up connection. With dial-up connections, each time you logged in, you
initiated a new session, and you were assigned with a new IP address from your
Internet Service Provider (ISP). And as you can imagine, if this had to be done by
hand, it would have been a very slow process. This is why the DHCP was created.

What is DHCP?
The Domain Name System, more popular as DNS, and the Dynamic Host
Configuration Protocol, also known as DHCP, represent two crucial TCP/IP areas of a
Windows NT Server network. The DNS is responsible for converting hostnames into
IP addresses, while the DHCP is engaged in assigning unique dynamic IP addresses
and the corresponding subnet masks and default gateways to TCP/IP running
computers within a particular server network.

Why would you need to use the DHCP? Thanks to the dynamic addressing executed
by the DHCP, a computer can have a different IP address every time it connects to
the network it belongs to, without the intervention of a UNIX administrator. Through
this DHCP functionality every new computer added to a network is automatically
assigned a unique IP address.

DHCP servers greatly simplify the configuration of networks and are built in the
majority of the wireless access points and wired Ethernet routers.

How does the DHCP work?

In a network, a DHCP server manages a pool of IP addresses, as well as default
gateway details, DNS details and other information for the clients’ network
configuration. When a new computer is introduced into a DHCP server-enabled
network, it will send a query to the DHCP server requesting all the necessary
information. When the query reaches the DHCP server, it will grant the new
computer a new IP address and a lease - a time frame for which the computer can
use this IP address, as well as other configuration details. The whole process takes
place immediately after the new computer boots, and to be successful, it has to be
completed before initiating IP based communication with other hosts in the network.

DHCP allocation methods

Depending on its configuration, the DHCP server can work in 3 ways:

Dynamic allocation
When the DHCP server is configured to use dynamic allocation, this means that it
uses a lease policy. This way, when an assigned IP address from the available pool
is no longer used, it will be transferred back to the pool, making it available for
someone else to use. The advantage of this method is that the IP addresses are
used to their maximum - as soon as they are no longer used by the client, they are
instantly made available to others. The disadvantage of this method is that a client
will always have a random IP address.

Automatic allocation
The automatic allocation method resembles very much the dynamic allocation
method - as soon as a client connects, the DHCP server provides him with an IP
address from the IP address pool. However, when automatic allocation is used, the
DHCP server keeps a database of previous IP grants, and tries to give the client the
same IP address he used the last time, if available.

Static allocation
The static allocation method is very popular in modern ISP networks, which do not
use dial-up methods. With the static allocation, the DHCP sever keeps a database
with all clients' LAN MAC addresses and gives them an IP address only if their MAC
address is in the database. This way, the clients can be sure that they will be
getting the same IP address every time.

A DHCP server can be set to work using a combination of the allocation methods.
For example, in a public WiFi network, all of the known hosts and permanent clients
can use the static allocation, whereas for guests, the dynamic allocation is used.
This way, known hosts can always use the same IP address and the IP address pool
is equally available to everyone.