AD LAYER 8: AD background-ish info, Forests, Forest Root Domain, Trees, Domains, OUs, DCs, GCs, FSMOs, GPO stuff, AD Functional Levels, Trusts, Kerberos , Architecture, MISC
Active Directory (AD) background-ish info
A GPO is a group of security policies and has almost nothing to do with groups.
An OU is not a group. An OU is not a security principle. An OU is a container object to which GPOs can be linked.
See also the AD architecture section of this site
See Service Locators on the DNS page of this site
An instance of AD
A single configuration partition
A forest is a true security boundary - choose multiple forests to has security boundary separations
A forest has a single schema - choose multiple forests to have more than one schema
A forest can contain millions of objects
A forest contains one or more trees
A single GC (Global Catalog) replica
There are trusts between all domains in a forest. There trusts are automatically created.
See also Trusts, below
A forest has a single forest root domain.
Enterprise admins (EAs) are homed in the forest root domain - EAs have rights to all domains in the forest.
The forest root domain is always the first domain instantiated in the forest.
The forest root is not moveable or transferable or deleteable. It is cumbersome to rename the root domain.
All trees in the forest have a trust relationship with the forest root domain, so inter-tree DNS (and replication ?) traffic flows through the forest root. This is the central tree root trust.
A forest may have a empty root domain or dedicated root domain, such as "DS" or "AD". Under this root are child domains. No or minimal principles are kept in the root. This is a best security practice (at least in larger organizations), as domain admins (DAs) in the forest root can self privilege elevate to enterprise admins (EAs), and this model basically gives a whole domain just to the EAs to avoid this and thus keeps all the child domains on equal security boundary terms. EA's are in the forest root domain by default; the empty root security model gives a whole domain to EAs.
See also Trusts, below
A tree is made of domains; specifically a tree is one or more name-space-wise contiguous AD domains.
See also Trusts, below
Contains OUs, users, computers, and many other objects
A division or part of a forest
Domain has a real-world and best practice minimum of two DCs. (Technically only one DC is required.)
All replica servers (AKA DCs) in a domain share a domain partition in their NTDS.dit database file
GCs have a index subset of this domain partition
Security principle's"home" domain provides authentication, this means for resources in other domains to authenticate the principle, cross-domain authentication traffic must occur.
Enterprise admins (EAs) have rights to all domains in their forest
See also Trusts, below
More info on these next points in the design section under "One or more domains?"
A replication boundary
GPO based account policy is by domain only
An administrative boundary
Contains users, computers, other objects
OU best practice:
An index and partial replica of the objects and attributes most frequently used (throughout the whole forest) in every domain.
MS recommends a GC in each Site. Note that there is a GC (and DC) replication cost incurred which might outweigh the service's placement here.
If the forest is only domain, can simply make all DCs GCs, as there is no replication hit taken in this scenario.
MS recommends a GC (in the same site) for each Exchange server.
Universal Group (UG) Caching off, by default.
UG Caching set by site - ensure that the Site contains >= 1 2003 DC, as this is a 2003 feature.
Function allows a DC to query a GC for and cache a user's UG membership - subsequent UG membership lookups can hit the DC and be resolved without a (potentially cross-WAN) GC query.
Flexible Single-Master Operations (FSMO)
Flexible Single Master Operations (FSMO) roles. In AD as much as possible is set up to replicate via multi-master replication. There are some functions which use a single master replication scheme - these are due to limitations imposed by security, Kerberos design, performance, whatever. Satirically speaking one might say the rigid roles are referred to as flexible; however what is meant is that though there is a single instance of the role, the flexibility is in its placement. |
|||
| FSMO name | one per | definition | DR |
| schema master | forest | ??? | |
| domain naming master | forest | ??? | |
| Primary DC Emulator - PDCE | domain | In mixed mode the PDCE is a W2Kx DC which serves as the NT4 PDC for the NT4 BDCs to replicate with. Even in native mode the PDCE is the Kerberos password change server - the authoritative reference for all passwords if there is a question of an as yet un-replicated password change. | |
| infrastructure master | domain | ??? | |
| RID master | domain | ??? | |
Group Policy Object (GPO) stuff
Acronym / mnemonic device to remember GPO link precedence and application
Group Policy Loopback Support
http://www.microsoft.com/resources/documentation/Windows/2000/server/reskit/en-us/Default.asp?url=/resources/documentation/windows/2000/server/reskit/en-us/distrib/dsec_pol_KCMB.asp
Windows 2000 Resource Kits: Windows 2000 Resource Kits > Windows 2000
Server Resource Kit > Distributed Systems Guide > Desktop Configuration
Management > Group Policy
Group Policy Loopback
Support.doc - MS Word formatted from above MS KB article
Group Policy Tips and Info
http://www.svrops.com/svrops/documents/gpolicies.htm
Verbose Active Directory Group Policy Tutorial
http://www.serverwatch.com/tutorials/article.php/10825_1468301_3
Block GPO Inheritance = anarchists setting
Group Policy for Windows 2003 - Inheritance
http://www.computerperformance.co.uk/w2k3/gp/group_policy_inheritance.htm
| Native tools with which to manipulate Group Policy Templates -or- Security Templates -or- .inf files | ||
| Security Templates | MMC | view or edit existing or create new |
| Security Configuration and Analysis | MMC | check existing against template. Compare, tweak, export, modify |
| SECEDIT | CLI | like above but CLI |
| Active Directory Users and Computers (ADUC) | MMC | link templates to domains or OUs |
| Active Directory Sites and Services | MMC | link templates to sites |
| GPMC | MMC | view links, link to all |
| local security policy | MMC | link templates to local system |
| gpupdate (/force) | CLI | apply policy now |
| gpresult | CLI | view what policies applied |
| Resultant Set of Policy (RSOP) | MMC | view what policies MIGHT apply! |
Predefined security templates |
|
| Setup Security.inf | used during install - large file not to be used as a GPO |
default template above, incremental templates
below |
|
| compatws.inf | weakens security for backwards compatibility for legacy applications |
| securews.inf | increases security |
| securedc.inf | increases security |
| hisecws.inf | increases security more - specifically network communications |
| hisecdc.inf | increases security more - specifically network communications |
| dcsecurity.inf | template used during DCPROMO / placement in the Domain Controllers OU |
| rootsec.inf | used to reapply NTFS permissions to the OS system drive |
hisec > sec |
|
ws = for workstation or server |
|
dc = for domain controller |
|
Active Directory Functional levels
NT levels |
2000 levels |
2003 levels |
|
- |
- |
domain |
forest |
NT (default) |
mixed (default) |
2000 mixed (default) |
2000 (default) |
- |
native |
2000 native
|
- |
- |
- |
2003 interim
|
2003 interim
|
- |
- |
2003
|
2003
|
Domain and forest functionality
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b3674c9b-fab9-4c1e-a8f6-787126471271.mspx
Location on site: Microsoft Windows Server 2003 Tech Center, Product Help >
Active Directory > Active Directory Concepts > Understanding Active Directory
> Understanding Domains and Forests
Extra bit on interim levels: "Upgrading from a Windows
NT domain,"
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/ServerHelp/b3674c9b-fab9-4c1e-a8f6-787126471271.mspx
What are the domain and forest function levels in a Windows Server
2003-basedActive Directory?
http://www.petri.co.il/understanding_function_levels_in_windows_2003_ad.htm
By: Daniel Petri
ADPREP - AD Preparation Tool
The Transitive property:
Domains in a tree have automatic two-way transitive parent-child trusts.
Non-forest root tree's parent domain has two-way transitive trust with forest root tree parent domain. In other words trees in a forest trust each other at their roots - where the root is the top of the tree.
All domains in a forest exist in a complete trust model by way of walking the tree(s).
Shortcut trusts shorten the tree walk - shortcut trusts are one to two way transitive below or down the tree only.
A forest trust is between two 2003 forests. The forest trust is at the forest root domains. It is one or two way transitive between the domains in the two forests only - that is if ForestA has a forest trust with ForestB and ForestB has a forest trust with ForestC: All the domains in ForestA trust all the domains in ForestB, and all the domains in ForestB trust all the domains in ForestC, but there is no transitivity or trust relationship between ForestA and ForestC.
A realm trust is from an AD domain to a KRB5 (Kerberos) realm. (A KRB5 realm is a MS AD domain.) The realm trust can be one-way or two-way; it can be transitive or non-transitive.
The external trust is a one-way non-transitive trust between a AD domain and an NT4 domain, or a AD domain to AD domain trust where the two AD domains are in different forests. Could think of it as a way to do forest trust before both forests are at 2003 forest functional level, or maybe you only want/need one domain in each of the forests to have a trust relationship - no the whole forests.
Forest level trusts and UPN suffix routing
The DSA layer interfaces with LDAP, replication systems, and SAM mechanisms
This is an excellent document detailing GC ports and with lots of diagrams showing how everything works at the under the hood level
| DSA - Directory Service Agent |
| database layer - unpublished API |
| ESE - Extensible Storage Engine - transactional database |
| AD store - actual db files |
The ESE:
The AD Store:
The schema table contains object classes and attributes. Object classes and attributes require:
Schema stuff:
You can control what domain objects and domain object's attributes are included in the GC partial replicas. You can control indexing attributes. Realize this can result in both performance boosts and performance hits
AD Partitions - naming contexts
LDAP is an interface to the AD database and has names for its path syntax:
Breaking down user mode vs kernel mode - while these are somewhat elusive, they do provide a pictorial illistration:
EFS operating system components with user and kernel modes shown
http://www.microsoft.com/library/media/1033/technet/images/prodtechnol/winxppro/reskit/ch18/f18zs01_big.jpg
Windows 2000 Plug and Play Architecture with user and kernel modes shown
http://www.microsoft.com/whdc/archive/PnPNT5_2.mspx?pf=true#pnp1
(from http://www.microsoft.com/whdc/archive/PnPNT5_2.mspx)
ADMT
