Scribd
Upload
2 views

Active Directory

The document provides an overview of Active Directory (AD) and Group Policy, detailing its structure, components, and functionalities such as LDAP directory service, schema, and replication. It explains the building blocks of AD including objects, sites, domains, and roles, as well as the concept of forests and functional levels. Additionally, it covers the roles of domain controllers, trusts, and the global catalog within the AD framework.

Uploaded by

Anna Mae
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
2 views

Active Directory

The document provides an overview of Active Directory (AD) and Group Policy, detailing its structure, components, and functionalities such as LDAP directory service, schema, and replication. It explains the building blocks of AD including objects, sites, domains, and roles, as well as the concept of forests and functional levels. Additionally, it covers the roles of domain controllers, trusts, and the global catalog within the AD framework.

Uploaded by

Anna Mae
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 20

Active Directory and Group Policy

Blackhat Amsterdam
Raymond Forbes
Overview

 Active Directory Basics


– Structure
– Components
– Objects
– Roles
– Schema
– Sites
– Interop
Overview

 Group Policy
Active Directory

What is Active Directory?


– LDAP Directory Service
– Works with and requires DNS
– Incorporated into Windows 2000 and XP
– Centrally Managed
– Extensible
– Interoperable
Active Directory

Building blocks of Active Directory


– Objects
Users
Machines
– Sites
– Domains
– Trees
– Forests
Active Directory

– Trusts
Transitive
Non-Transitive
Cross Link

– Domain Controllers
– Groups
Global Groups
Universal Groups
Domain Local Groups
Active Directory

 Sites
– Collection of IP addresses
– Information is stored by all domain controllers in
the forest
– Intra-site replication is instant
– Inter-site replication can be scheduled
– Used at logon to find closest Domain Controller
– Bridgehead Server
Maintains link between sites.
Active Directory

– Subnets
Does not necessarily translate from actual
subnets

– Knowledge Consistency Checker


Automaticallydefines the replication topology
and bridgehead servers.
These can be set manually
Active Directory

 FSMO Rules (Flexible Single-Master Operation)


– Domain Naming Master
 Domain specific tasks (addition, removal of
domains)
– Infrastructure Master
 Maintains cross directory links
– PDC Emulator
 Support for NT4 domains. First server that takes
password changes
– Relative ID (RID) Master
 Makes sure all SIDs are unique. All object moves
happen through here.
– Schema Master
Active Directory

 Global Catalog
– Read Only
– Partial database. Subset of information in the
schema
– Used for fast searching and logons
 All
universal group information is stored in the Global
Catalog.
Active Directory

 Schema

A set of rules that defines the classes of


objects and attributes that can be contained
in the directory.
Active Directory

– Schema Classes
Abstract Classes
– Not actually used to make objects.
– Used to provide structure to the schema
Structural Classes
– This is used to make directory objects
Auxiliary Classes
– Provides add on information that can be applied
to other classes
Active Directory

– Schema is cached in memory


– Only one Schema for the entire forest
– Cannot actually delete anything from
the Schema after it has been
extended.
The only option you have is to
deactivate any non used classes
Active Directory

 DNS
– AD puts in a number of SRV records into
your DNS.
_ldap._tcp. 600 IN SRV 0 100 389 server1
_ldap._tcp.pdc IN SRV 0 100 389 server 1
_kerberos._tcp.dc._msdcs IN SRV 0 100 88
server1
Active Directory

 Replication
– Multi Mastered
– Tracks meta-data
– Different based on whether intra-site or inter-site
 Intra-site is simple, and not very configurable
 Inter-site can use RPC or SMTP

– Not all data is replicated


 For instance, user last logon time
– Replicates attributes, not entire objects
Active Directory

– Meta-Data
 Update Sequence Number (USN)
– Defines latest update on a paticular Domain Controller
 Property Version Number
– Version of attribute
 Attribute
Timestamp
 IP address of Domain Controller

– Server stores the USN of each DC seperately


 Each USN is stored by the server’s GUID
Active Directory

– When a change is made on the Domain controller


the USN is changed. The other DCs are notified.
– The DC asks for all the changes post the USN it
has recorded.
– DC applies changes and stores new USN for that
DC.
Replication Services

 Distribute directory data across a network


– This includes both the data store itself as well as
data required to implement policies and
configuration, including logon scripts.
FOREST

 A collection of one or more AD domains.


 The first domain installed in a forest is called the
forest root domain.
 A forest contains a single definition of network
configuration and a single instance of the directory
schema.
 A forest is a single instance of the directory – no
data is replicated by AD outside the boundaries of
the forest.
 A forest defies a security boundary.
Functional Level

 The functionality available in an AD domain


or forest depends on its functional level.
 The three domain functional levels are:
– Windows 2000 native
– Windows Server 2003
– Windows Server 2008
 The functional level determines the versions
of Windows permitted on domain controllers.

You might also like