Active Directory

Table of Contents

01 02 03 04 05 06 07 08 09 10 11 12 13 14 15 16 17 18 19 20 \ 21 22 23 24 25 26 27 28 29 30 31 32 33

Terms

• Active Directory components
• Active Directory Lightweight Directory Services (AD LDS))
  • Instance
  • Configuration set
  • Replica
  • Partition/naming context
  • Application partition
  • Configuration partition
  • Schema partition
  • Bindable object
  • Bindable proxy object
• Active Directory Federated Services (ADFS)
• Directory Information Tree (DIT)
  • Key tables:
  • Data table
  • Link table
  • Hidden table
  • Security descriptor table
• Extensible Storage Engine (ESE)
• Identity Management for Unix (IMU)
• Security Accounts Manager (SAM)
• Global Catalog
• Schema
  • attribute
  • syntax
• Active Directory concepts
• Domain Controller (DC)
  • FSMO roles:
  • Schema Master
  • Domain Naming Master
  • PDC Emulator
  • RID Master
  • Infrastructure Master
• Distinguished Name (DN)
• domain tree
• forest
• organizational unit
• Trust
  • forest trust
  • simple trust
  • transitive trust
• Domain models:
  • Multimaster
  • Single-domain
  • Single-master
  • Complete trust
• Groups:
  • Scopes
  • [Domain local][domain local group]
  • [Domain global][domain global group]
  • [Universal][universal group]
  • Types:
  • Distribution
  • Security
• Site topology
• site
• subnet
• site link
• connection object
• Windows Management Interface (WMI)
• CIM infrastructure
  • CIM Repository
  • CIMOM
• WMI providers

Fundamentals

History

Active Directory has its origins in 1990 when Microsoft released Windows NT 3.0, its first Network Operating System (NOS). Limitations of NT led Microsoft to rearchitect their solution based on LDAP, a directory service that originated in 1993 as a lighter-weight alternative to X.500.

Feature	NT	AD
Database	SAM	ESE
Trust	Simple	Transitive
Domain models	Multimaster Single-domain Single-master Complete trust	Complete trust
Name resolution	WINS	DNS
Schemas	Not extensible	Extensible

Major components

AD objects, which can be containers or non-containers (leaf nodes), are stored in a DIT file. Each object is identified by a GUID but also commonly referred to by distinguished name (i.e. dc=mycorp,dc=com)

Active Directory's structure is based on the concept of a domain, based on the following components: - Hierarchical structure of containers and objects based on X.500 - DNS domain name - Security service to provide AAA - Policies to restrict functionality for users or machines

Domains can be organized into domain trees, and domain trees can be organized into forests.

The most common container type is the OU. Global Catalog can be used to search for AD objects.

Because Kerberos, which underlies AD, is sensitive to time differences all computers on a domain must have clocks synchronized to within 5 minutes. NTP can be useful for this.

Naming contexts

Predefined NCs within AD: - Domain Naming Context - Schema Naming Context - Configuration Naming Context

Schema

Each object in AD is an instance of a class defined in the schema. The schema version can be queried from the command-line with [adfind][adfind] OID

SID

A Windows SID is generally composed of 2 fixed fields and up to 15 additional fields, all separated by dashes:

S-v-id-s1-s2-s3-s4-s5-s6-s7-s8-s9-s10-s11-s12-s13-s14-s15

AD LDS

AD LDS offers a pared-down version of AD that is easy to set up and tear down. It was first released in November 2003 as Active Directory Application Mode (ADAM) V1.0 and offers security benefits because it doesn't enable so many services by default. It was renamed AD LDS with the release of Windows Server 2008.

Differences between AD and AD LDS - AD LDS is a standalone application run from a dsamain.exe process (rather than lsass.exe), which means it can be started or stopped on demand without rebooting and multiple instances can be run. - AD LDS lacks the global catalog functionality (removing NSPI and AB as well)

Site topology

A site topology is a map of the sites, subnets, site links, site link bridges, and connection objects as it relates to a forest.

WMI

An industry effort to develop a model for managing systems and devices for vendor use arose in the 1990s which resulted in CIM, which provides the basis for WMI. The WMI architecture is composed of two main layers: the CIM infrastructure (CIMOM and CIM Repository) and the WMI providers Each provider is associated with a namespace, which is similar in concept to a filesystem.

.NET

The .NET Framework was developed with the intention of replacing the old Win32 and COM APIs. It has two major components: - Common Language Runtime (CLR) - .NET Framework class library

Searching Active Directory