Skip to main content

Active Directory Essentials

Active Directory is Microsoft's proprietary directory service protocol for Windows 2000, 2003 and 2008 servers. Active Directory provides a database which can be queried to find hosts, servers, services and resources within one or more administrative domains that are part of a forest. Windows Active Directory is an X.400-based directory service which stores information about 'objects' within a 'domain'. User accounts, computers, servers and services are all objects within Active Directory. These base objects can also be collected into 'containers'. Active Directory allows objects, such as computers and users, to be grouped into Organizational Units. Organizational Units are 'containers' within Active Directory and can have access controls and security polices allowing a single policy to be applied to a group of objects in an easy manner. Objects are part of Containers, and Containers are part of a Domain. Domains are part of an Active Directory hierarchy or 'tree'.
Users > Organizational Units > Domains > Trees
Active Directory system was designed to 'integrate' with LDAP and Internet DNS. Each Active Directory 'tree' for a computer network forms a domain. The domains can be set up to communicate with each other via Microsoft's patented 'trust' relationships. Thus, an Active Directory tree in one network can communicate on a 'trusted' (not) basis with an Active Directory 'tree' from another network to form a 'forest'..
[ As if Microsoft hadn't confused things enough already with 'domains'... --InetDaemon ]

Active Directory Domain Controllers

Only Active Directory Domain Controllers provide Active Directory services. Active directory information is stored in the DNS server zone files using a special SVR record and a special naming convention used for services running on a particular host. This convention uses underscores. Underscores used in a DNS domain name are illegal (not part of the DNS specification) but Microsoft uses them anyway in the service and domain portions of the fully qualified name of a computer.
Active Directory can be configured three ways:
  • OFF (Not running or integrated at all)
  • Mixed Mode (Backwards compatible with Windows NT domains, and very limited Active Directory functionality)
  • 'Native' Mode (Full Active Directory NO WINDOWS NT SERVERS PERMITTED!)
The first Windows domain created becomes the root of the first 'domain tree', and as the first tree, it becomes the 'parent' of all other domains/trees. The 'root domain' or 'parent tree' cannot be moved, deleted or changed. Therefore, in transitioning to Windows 2000, you must create the ROOT domain (parent DNS domain if that makes sense) first.
By default, when you configure a child domain to communicate with the parent, they default to a 'two-way transitive trust' relationship (Parent <-> Child1). This means that each domain fully trusts the other. When a third domain is added (Child2), it automatically trusts both domains (Parent and Child1), even though it is connected to only one of them (Child2<->Parent). Through the parent domain, Child2 has access to Child1. .
Forests are created when two root domains are configured to share a 'global catalog'.

Active Directory Essentials

The Active Directory database is stored in a single flat file named ntds.dit on Windows 2000 and Windows 2003 Active Directory servers. The file ntds.dit is a Microsoft Jet database file. The Extensible Storage Engine (ESE) is used to access and manage the contents of the ntds.dit file. The ntds.dit file is stored in the following folder:
%SystemRoot%\ntds
Note that %SystemRoot% is a Windows environment variable which contains the path to the Windows system root directory (usually C:\windows).

Active Directory Objects

Every object in the Active Directory database points to its one and only parent, therefore the total store of all objects in the database may be thought of as a hierarchy.
  • Forest
    • Domains (a tree of domains)
      • Security Principals
        • Users
        • Groups
        • Computers
          • Workstations
          • Servers
          • Domain Controllers
      • Containers
      • Organizational Units
    • Group Policy Objects
      • Rights / Permissions
      • WMI Filters
    • Sites
  • System Access Control Lists
  • Discretionary Access Control List

Active Directory Tools

Microsoft installs several tools for managing Active Directory when a Windows server is promoted to a domain controller during installation or after using the dcpromo MS-DOS command.
  1. Active Directory Users and Computers (dsa.msc)
  2. Active Directory Domains and Trusts (domain.msc)
  3. Active Directory Sites and Services (sites.msc)
  4. Active Directory Schema Snap-in (added as a 'snap-in' to a generic instance of the mmc)
  5. Group Policy Management Console (gpmc.msc)
NOTE: The Microsoft Management Console (MMC) is a generic window-control used for managing Windows services and controls. The MMC supports snap-ins allowing an administrator to pull together multiple controls into a single window.

Active Directory Users and Computers

This tool is used to manage the Directory Objects within the domain, to create, add and modify computers and users and to remove them from the domain.

Active Directory Domains and Trusts

The parent-child relationships, replication and level of trust between domains is managed with this tool.

Active Directory Sites and Services

This tool allows a Domain Administrator to create 'sites' and to force replication between sites.

Active Directory Schema

This tool is used to manage Active Directory database schema and base object types.

Group Policy Management console

From this console, a Windows Active Directory Administrator can link security policies to objects, organizational units, sites and domains within an Active Directory Forest.

Labels

Labels:

Comments

Post a Comment

Popular posts from this blog

How To Recover Passwords Using Ophcrack LiveCD

Ophcrack LiveCD 3.4.0 is a completely self contained, bootable version of Ophcrack 3.4.0 - the easiest and most effective tool that I've ever found to "crack" your forgotten Windows password. For a quick overview of Ophcrack, see my complete review of Ophcrack 3.4.0 . Ophcrack is a free software program that recovers passwords so the first step you'll need to take is to visit Ophcrack's website . When the Ophcrack website loads as shown above, click the Download ophcrack LiveCD button. Note: Since you obviously can't get into your computer right now because you don't know the password, these first four steps will need to be completed on another computer that you have access to. This other computer will need to have access to the Internet and the capability to burn a disc (like a CD, DVD, etc.). Another Note: The instructions I've put together here walk you through the entire process of using Ophcrack LiveCD to recover your password. If you...
Post a Comment
Read more

Configuring the Linksys WRT54GS Router for wifi

Basic ADSL Router setup The full GUI can be accessed at http://ui.linksys.com/WRT54G/v1-v4/4.20.7/index.htm location  The router will work out of the box, but has none of the security functions enabled as standard. It should be connected by Cat5 or 5e ethernet cable between a modem and the computer network as its job is to manage traffic and protect the network with its built-in firewall. Configuring the WRT54GS is quite straightforward thanks to its user-friendly web interface. To access it enter; http://192.168.1.1 into your web browser. You will be prompted to enter a username and password. Enter admin for both, you will be changing this later. Router Name This image above is of the first web interface showing the basic configuration settings. Nothing needs to be changed here for most home user setups, but I suggest changing the Router Name to something meaningful and changing the Time Zone. If you have made any changes, click Save at t...
1 comment
Read more

How To Setup a USB Flash Drive to Install Windows 7

If you have an ISO image of Windows 7, using Microsoft’s free utility is a quick and easy option to get the image on your USB flash drive. It requires XP SP2 or higher and if you’re using an XP machine you’ll need .NET Framework 2.0, and Microsoft Image Mastering API V2…both of which can be downloaded from the link below. It seemed to work best if I formatted the flash drive as NTFS before using the download tool. But that could be because of the flash drive I used…your mileage may vary.   It’s a pretty straight forward process, first browse to the location of your Windows 7 ISO file and click Next. Select USB device…this also helps you burn the ISO to DVD as well if you need that option. Choose your flash drive and click Begin copying. Now just wait for the process to complete. The drive will be formatted and files copied to the flash drive. When the process is finished you will be able to see the files on the flash drive as you would if you opened the installat...
1 comment
Read more