Changes in Windows 2008 Active Directory

Active Directory Domain Services

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the central location for configuration information, authentication requests, and information about all of the objects that are stored within your forest. Using Active Directory, you can efficiently manage users, computers, groups, printers, applications, and other directory-enabled objects from one secure, centralized location.

• Auditing. Changes made to Active Directory objects can be recorded so that you know what was changed on the object, as well as the previous and current values for the changed attributes.
• Fine-Grained Passwords. Password policies can be configured for distinct groups within the domain. No longer does every account have to use the same password policy within the domain.
• Read-Only Domain Controller. A domain controller with a read-only version of the Active Directory database can be deployed in environments where the security of the domain controller cannot be guaranteed, such as branch offices where the physical security of the domain controller is in question, or domain controllers that host additional roles, requiring other users to log on and maintain the server. The use of Read-Only Domain Controllers (RODCs) prevents changes made at branch locations from potentially polluting or corrupting your AD forest via replication. RODCs also eliminate the need to use a staging site for branch office domain controllers, or to send installation media and a domain administrator to the branch location.
• Restartable Active Directory Domain Services. Active Directory Domain Services can be stopped and maintained. Rebooting the domain controller and restarting it in Directory Services Restore Mode is not required for most maintenance functions. Other services on the domain controller can continue functioning while the directory service is offline.
• Database Mounting Tool. A snapshot of the Active Directory database can be mounted using this tool. This allows a domain administrator to view the objects within the snapshot to determine the restore requirements when necessary.
  
  

  Active Directory Rights Management Services

  Your organization’s intellectual property needs to be safe and highly secure. Active Directory Rights Management Services, a component of Windows Server 2008, is available to help make sure that only those individuals who need to view a file can do so. AD RMS can protect a file by identifying the rights that a user has to the file. Rights can be configured to allow a user to open, modify, print, forward, or take other actions with the rights-managed information. With AD RMS, you can now safeguard data when it is distributed outside of your network.
  • Application Support. Support for AD RMS is already included within Windows Vista. Internet Explorer 7 and the 2007 Microsoft Office system already have support for AD RMS. The AD RMS client can also be installed on other Windows operating systems.
  • Persistent Protection. Your content can be protected on the go. You specify who can open, modify, print, or manage the content, and the rights stay with the content—even after it has been transferred outside of your organization.
  • Usage Policy Templates. If you have a common set of rights that you use to control access to information, a Usage Policy Template can be created and applied to content. This alleviates the need to recreate the usage rights settings for every file you want to protect.
  • AD RMS Software Development Kit. The AD RMS Software Development Kit (SDK) can be used by independent software vendors (ISVs) to rights-enable their applications, meaning the application investments you’ve already made may be (or will become) compatible with AD RMS.
    
    

    Active Directory Federation Services

    Active Directory Federation Services is a highly secure, highly extensible, and Internet-scalable identity access solution that allows organizations to authenticate users from partner organizations. Using AD FS in Windows Server 2008, you can simply and very securely grant external users access to your organization’s domain resources. AD FS can also simplify integration between untrusted resources and domain resources within your own organization.
    • Availability As an Integrated Server Role. AD FS is a server role within Windows Server 2008 that can be easily deployed and managed using Server Manager, instead of handled as an added feature, as in Windows Server 2003 R2.
    • Integration with Microsoft Office SharePoint Server 2007. AD FS can be used to facilitate a single sign-on solution for Office SharePoint Server 2007.
    • Integration with Active Directory Rights ManagementServices (AD RMS). AD FS can integrate with AD RMS to support the sharing of rights-protected content between organizations without requiring AD RMS to be deployed in both organizations.
    • Improved Administration. Importing and exporting trust information has been enhanced so that each organization can quickly export or import XML files to facilitate the configuration of trust information.
      
      

      Active Directory Certificate Services

      Most organizations use certificates to prove the identity of users or computers, as well as to encrypt data during transmission across unsecured network connections. Active Directory Certificate Services (AD CS) enhances security by binding the identity of a person, device, or service to their own private key. Storing the certificate and private key within Active Directory helps securely protect the identity, and Active Directory becomes the centralized location for retrieving the appropriate information when an application places a request.
      • Enrollment Agent Templates. Delegated enrollment agents can be assigned on a per-template basis.
      • Integrated Simple Certificate Enrollment Protocol (SCEP). Certificates can be issued to network devices, such as routers.
      • Online Responder. Certificate Revocation List (CRL) entries can be returned to the requestor as a single certificate response instead of the entire CRL. This reduces the total amount of network traffic consumed when clients validate certificates.
      • Enterprise PKI (PKI View). A new management tool for AD CS, this tool allows a Certificate Services administrator to manage Certification Authority (CA) hierarchies to determine the overall health of the CAs and to easily troubleshoot errors.
        
        

        Active Directory Lightweight Directory Services

        Active Directory Lightweight Directory Service (AD LDS), formerly known as Active Directory Application Mode, can be used to provide directory services for directory-enabled applications. Instead of using your organization’s AD DS database to store the directory-enabled application data, AD LDS can be used to store the data. AD LDS can be used in conjunction with AD DS so that you can have a central location for security accounts (AD DS) and another location to support the application configuration and directory data (AD LDS). Using AD LDS, you can reduce the overhead associated with Active Directory replication, you do not have to extend the Active Directory schema to support the application, and you can partition the directory structure so that the AD LDS service is only deployed to the servers that need to support the directory-enabled application.
        • Install from Media Generation. The ability to create installation media for AD LDS by using Ntdsutil.exe or Dsdbutil.exe.
        • Auditing. Auditing of changed values within the directory service.
        • Database Mounting Tool. Gives you the ability to view data within snapshots of the database files.
        • Active Directory Sites and Services Support. Gives you the ability to use Active Directory Sites and Services to manage the replication of the AD LDS data changes.
        • Dynamic List of LDIF files. With this feature, you can associate custom LDIF files with the existing default LDIF files used for setup of AD LDS on a server.
        • Recursive Linked-Attribute Queries. LDAP queries can follow nested attribute links to determine additional attribute properties, such as group memberships.
          
          

          Additional Active Directory Improvements

          The Active Directory Installation Wizard includes several improvements over earlier versions. These improvements make it easier for an administrator to control the installation of domain controllers within the domain. Enhancements include:

          • New Forest Functional Level. Windows Server 2008 R2 includes a new Active Directory forest functional level. Many of the new features in the Active Directory server roles require the Active Directory forest to be configured with this new functional level.
          • Enhanced Command Line and Automated Management. Windows PowerShell cmdlets provide the ability to fully manage Active Directory server roles.
          • Improved Automated Monitoring and Notification. An updated System Center Manager 2007 Management Pack helps improve the monitoring and management of Active Directory server roles.
          • Better Management with Server Manager. Server Manager, the Windows Server 2008 R2 server management tool, allows an administrator to pre-stage domain controllers. When the domain controller role is added from the Server Manager console, the files that are needed to perform the installation of the directory service are copied to the server. When an administrator starts the Installation Wizard, dcpromo.exe, the files are already cached and available.
          • Improved Compliance with Established Standards and Best Practices. Windows Server 2008 R2 includes an integrated Best Practices Analyzer for each of the server roles. The Best Practices Analyzer creates a checklist within Server Manager for the role, which you can use to help perform all the configuration tasks.
          • Answer File Creation. If several domain controllers use the same settings when they are installed, the Summary page allows you to export the settings from the current installation into an answer file. The password used for your Directory Services Restore Mode administrator account is not exported with the answer file, and you can specify that the user who is installing the domain controller is always prompted for the administrator password. This way, passwords are not accessible to users who have access to the location where the answer files are stored.
          • Read-Only Domain Controller Installation The Read-Only Domain Controller role can be installed using the Installation Wizard. When installing a Read-Only Domain Controller, you can define who is allowed to install and manage the domain controller. In the first phase of the installation, a domain administrator can define the account that can install the Read-Only Domain Controller. Once defined, the user that is associated with the Read-Only Domain Controller will have the rights to install the directory service.
        
        
      
      
    
    
    
    
    
  
  

Best of Active Directory Stuff

A Domain is a way to partition a network for security and administrative purposes.

When you create an Active Directory site, the Active Directory automatically assigns the role of bridgehead server to one domain controller. The bridgehead server sends and receives replication data from remote sites.

OUs can also serve as administrative and security boundaries. Different security standards can be placed

on OUs, including different group policies. Administratively, an OU can be delegated so that a certain administrator or group controls it.

With an OU, you can set security for a subset of an existing domain, have different administrators manage, and place different policies on the OU

Sites are not a part of the DNS namespace, but they are maintained for traffic and replication flow purposes.

When you define various sites within the Active Directory Sites and Services tool, you enable the Knowledge Consistency Checker (KCC) and other Active Directory services to know that your enterprise contains remote sites. The KCC also knows that those sites are connected by WAN communication links or site links. When you define information about those site links, then the Active Directory can make decisions about how to best use the bandwidth available.

Global catalog servers contain a full replica of Active Directory objects within their domain and a partial replica of Active Directory objects in other domains in the forest.

User principal name (UPN) suffixes are the names of the current domain and the root domain.

A site is physical grouping of computers based on TCP/IP connectivity, and a domain is a logical grouping of users, computers, and other Active Directory objects based on administrative and security needs.

The DNS namespace is used on the Internet while the Active Directory namespace is used for private networks

If your site uses a firewall, your proxy server must be designated as the bridgehead server for the replication traffic to flow through the firewall.

The Active Directory Sizer is a tool that gathers information from you about your network and your computers and the gives you a report that estimates the hardware you will need on your computers to meet the workload demands of your environment.

A primary tool you would want to consider using is the Active Directory Migration Tool (ADMT).

While I’m on the subject of connecting and synchronizing with the Active Directory, I should mention that Windows 2000 includes an Active Directory Connector (ADC) for connecting the Exchange Server 5.5 directory with the Active Directory.

FSMO -

Schema Master—the schema master is a domain controller that manages any changes that are made to the Active Directory schema. There is only one schema master in an Active Directory forest.

Domain Naming Master—the domain naming master domain controller manages the addition or removal of domains from the Active Directory forest. There can be only one domain naming master per forest.

Relative ID (RID) Master—the RID master manages the allocation of RIDs to domain controllers in the domain. The RID master manages object security IDs and RIDs for the domain. There is one RID master per domain in the forest.

PDC Emulator—The PDC Emulator role allows a Windows 2000 domain controller to act like a PDC to Windows NT servers and clients. Since NT is not aware of the peer-to-peer relationship, the PDC Emulator role allows the Windows 2000 domain controller to act like a PDC—it emulates the PDC role. This feature allows you to use Windows NT Servers and Windows 2000 Servers in the same domain (called mixed mode).

Infrastructure Master—the Infrastructure master role updates group-to-user references. In other words, the Infrastructure master keeps track of what users belong to what groups and in what domains. There is only one Infrastructure master in each domain in the forest.

Global Catalog—In addition to the standard master operation roles, there are also global catalog servers. Global catalog servers hold a partial replica for all objects in all domains. Global catalog servers are used for network logons by providing universal group membership information to a domain controller when a logon occurs. Global catalogs also assist user object queries.

The file system provides a way for your operating system to store data in a logical, organized manner. Without a file system, your computer would not be able to logically write and read data on a hard disk.

Convert drive letter: /fs:ntfs

Active Directory database and the log files, which is C:\WINNT\NTDS by default

Domain controllers’ SYSVOL folder contains Active Directory information.

Child domains are automatically connected to the root domain through a transitive trust relationship. Transitive trusts are two-way trust relationships and allow all domains in a tree to trust each other automatically. Because the trust is transitive, if Domain 1 trusts Domain 2 and Domain 2 trust Domain 3, then Domain 1 automatically trusts Domain 3 through the transitive nature of the trust.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the users and computers in one domain can access resources residing in the other domain. The trust relationships supported in Windows Server 2003 are summarized below:

• Parent/Child trust: A parent/child trust relationship exists between two domains in Active Directory that have a common contiguous DNS namespace, and who belong to the identical forest. This trust relationship is established when a child domain is created in a domain tree.
• Tree Root trust: A tree root trust relationship can be configured between root domains in the same forest. The root domains do not have a common DNS namespace. This trust relationship is established when a new tree root domain is added to a forest.
• Shortcut trust: This trust relationship can be configured between two domains in different domain trees but within the same forest. Shortcut trust is typically utilized to improve user logon times.
• External trust: External trust relationships are created between an Active Directory domain and a Windows NT4 domain.
• Realm trust: A realm trust relationship exists between an Active Directory domain and a non-Windows Kerberos realm.
• Forest trust: Forest trust can be created between two Active Directory forests.

Do not place the global catalog server role on the same domain controller that holds the Infrastructure master role. The Infrastructure master finds data that is out-of-date and then requests updated data from the global catalog server. As you can see, if both roles reside on the same domain controller, then the Infrastructure master will not be able to function because it will never find any out-of-date data since the global catalog is always up-to-date.

A site can contain several domains, or a single domain can span multiple sites.

Without site links, the Active Directory cannot replicate data between sites

The Active Directory can use RPC/IP (Remote Procedure Calls over Internet Protocol) or SMTP (Simple Mail Transport Protocol) to send replication data between sites. SMTP can be used for low-bandwidth links or links that use the Internet.

Within each site, the Active Directory automatically configures a domain controller to be a bridgehead server. The bridgehead server sends and receives replication data from remote sites.

Kerberos is an Internet standard authentication protocol, and it provides much faster service and more powerful security features than NTLM, the authentication protocol in Windows NT, does. Kerberos V5 is the default protocol among Windows computers (Server and Professional) within an Active Directory forest. Second, Windows 2000 supports Windows NT LAN Manager (NTLM) for backward compatibility. With NTLM, down level clients and servers, such as NT and 9x, can log on to a Windows 2000 Server.

NTLM is available only when a domain is operating in mixed mode—not native mode.

Finally, Windows 2000 also supports Secure Sockets Layer/Transport Layer Security (SSL/TLS), which is a protocol, used to authenticate Web clients to Web servers. Windows 2000 can use SSL/TLS to authenticate users on the Internet on a Windows 2000 Server, and this protocol is used in conjunction with Windows 2000’s certificate services

Best features of Kerberos V5 is the single logon for user accounts (user need only be authenticated one time by a domain controller in order to gain access to network wide resources)

If the user name and password are valid against the now encrypted timestamp, the domain controller makes two Kerberos V5 tickets using the user’s password as an encryption key and then sends the two tickets back to the local computer where the user initiated the logon attempt. The two tickets are the following:

✦ Logon Session Key—this ticket contains the permissions that enable the user to have a logon session in the domain.

✦ Ticket-Granting Ticket—this ticket is used to obtain additional access tickets so the user can access resources on the network.

Comma Separated Value (CSVDE), which you can use to add objects to the Active Directory using a text file that, can be imported to the Active Directory. However, you can only create accounts with CSVDE—not delete or change them. The second utility is Lightweight Directory Access Protocol Interchange Format (LDIFDE), which enables to you to create, delete, and manage bulk import accounts.

Logon Workstations uses the NetBIOS protocol, so when you enter the computer name, use the NetBIOS name and not the full DNS name for the computer.

Active Directory is built on three different security components

1.      Security Principals—Security Principals are users, groups, or computers.

2.      Security Identifiers (SID)—A SID is a unique number that identifies a user, group, or computer account.

3.      Security Descriptor—A Security Descriptor describes the permissions that have been assigned for an object.

A Windows 2000 domain controller, System State Data contains the following:

✦ Registry

✦ COM+ Class Registration database

✦ System boot files

✦ Active Directory Services database

✦ SYSVOL directory

You can back up System State Data only on your local server. You cannot backup System State Data on a remote computer.

The Active Directory is based on the Extensible Storage Engine (ESE) database and is considered a fault-tolerant, transaction-based database. This feature enables the Active Directory to totally manage and track its own data. There are two basic components of the Active Directory—the database file that contains all of the Active Directory objects and the transaction log files that provide the fault tolerance to the database.

Each domain controller contains the Active Directory database file, which is called Ntds.dit (directory information tree) and is found, by default, in system\NTDS directory.

The database file stores information in three different tables:

✦ Object table—Contains objects and object attributes.

✦ Link table—Contains links or relationship information between the objects and attributes in the Object table.

✦ Schema table—contains the definitions of all the possible objects that can be created in the Active Directory.

Aside from the actual database file and the transaction log files, there are three other files used by the Active Directory:

✦ Checkpoint files—Checkpoint files hold pointers to transactions that have already been written to the database file.

✦ Reserved log files—reserved log files are used as backups in the case of low disk space.

✦ Patch files—Patch files are used to manage data during an online backup.

The current transaction log file is named Edb.log and is stored in the same directory as the database file. The Edb.log file has a fixed size of about 10MB. When the Edb.log file fills to its capacity, a new log file is created and the old log file is renamed edbxxxxxx.log where xxxxxx is a hexadecimal character to indicate it is an old log file. Once all of the transactions in the old log file have been performed, the old transaction log is deleted.

Circular logging does not create new transaction log files, but rather overwrites the old one when it fills. In essence, it uses the same log file over and over by overwriting unneeded information. Circular logging enables the Active Directory to maintain fewer transaction logs, but for the best data recoverability, you should not use circular logging.

HKEY_LOCAL_MACHINE\CurrentControlSet\Services\NTDS\Paramters\CircularLogging

Enter a 1 to enable circular logging (0 to disable it).

The automatic cleanup process, called Garbage Collection, occurs every twelve hours. During Garbage Collection, old transaction logs are deleted, and unneeded objects are deleted from the Active Directory. The deletion of objects occurs by a process called tombstoning. Suppose you delete a printer object from the Active Directory. During Garbage Collection, the printer object is tagged with a tombstone, which is not visible to clients. Once an object is tombstoned, it appears as though it has been deleted, when in reality the tombstone is kept for a default period of 60 days, called the Tombstone Lifetime.

The length of time tombstoned objects remain in the directory service before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days for Windows Server 2003 SP1 Active Directory (by default). 

A Ghost objects, also called phantom objects. Ghost objects are actually errors that occur within the database and occur when an object has been deleted, but some kind of error has prevented the object from actually being removed. You end up with a ghost object that appears in the directory although the object is not actually available.

Update Sequence Numbers (USNs). The Active Directory uses USNs, which are 64-bit numbers, in order to keep track of changes that occur to objects in the Active Directory. When an object is changed, its USN is updated so that all other domain controllers have an outdated USN for that object.

Intrasite replication is replication that occurs within an Active Directory site.

Intersite replication is replication that occurs between different Active Directory sites.

Replication partitions

Schema partition - contains objects and object attributes

Configuration partition - contains the physical structure of the Active

Directory, such as where sites are located, what domains are contained in what sites, and so forth.

Domain partition - replicates information about Active Directory objects to all domain controllers within the domain.

Active Directory replication uses a process called store and forward. This simply means that replication changes are not directly sent to every domain controller. Instead, changes made on one domain controller are replicated to that domain controller’s replication partners, who then send the replicated data to their replication partners, and so forth until the replicated data reaches all domain controllers. Fortunately for us, the Active Directory internally determines which domain controllers will be partners. This is accomplished through an automatic replication topology generation through the Windows 2000 Knowledge Consistency Checker (KCC) service. The KCC is built in to every Windows 2000 domain controller and runs every 15 minutes by default.

In a site, a complete replication cycle should take 15 minutes or less.

Intrasite replication uses Remote Procedure Calls (RPC) over Internet Protocol (IP). The RPC/IP communication within a site is considered synchronous. In other words, after a domain controller sends a request for Active Directory data replication to the originating domain controller, it waits for a reply before requesting data from any other originating domain controller.

Intersite replication supports synchronous RPC/IP (compressed). However, Intersite replication also supports Simple Mail Transport Protocol (SMTP) for directory replication. The major difference between using RPC/IP and SMTP is that RPC/IP is synchronous while SMTP is asynchronous, which simply means that a domain controller does not wait for a reply from an originating domain controller before making a replication request to another domain controller. SMTP is used for replication between the schema and configuration partitions (as well as the global catalog), but not for the domain partition.

Use SMTP when you have unreliable site links.

The Active Directory uses Pull Replication. This means that database changes are pulled from a source domain controller where the changes are made to direct replication partners.

The Active Directory avoids collisions first by attribute replication. For example, if one administrator changes the name of a user account while another changes the password, a collision does not occur because replication changes occur on an attribute level, not the entire object level.

Because of the loop, one domain controller could be sent the same replication traffic more than once. The Active Directory prevents this potential problem through a process called Propagation Dampening. Propagation dampening enables domain controllers to detect when replication traffic has already reached a domain controller. If the replication traffic has reached the domain controller, then the sending domain controller kills the replication traffic so that it is not sent twice to the receiving domain controllers.

The Up-to-date vector is a value that a domain controller maintains in order to track all originating updates that have been received. When a domain controller requests a pull change from another domain controller, it sends its Up-to-date vector.

The High Watermark vector is maintained on a domain controller to determine the latest change for a specific object that was received from the source domain controller. Like the Up-to-date vector, the domain controller sends its High Watermark vector to the source domain controller for examination. The High Watermark vector prevents the same object changes from being sent twice.

The major difference between the Up-to-date and High Watermark vectors is that the High Watermark vector maintains values for domain controllers from which it requests changes, while the Up-to-date vector is maintained for every domain controller that has ever issued an originating update.

Schema determines what objects can be stored in the database, how they are stored, and how they are defined.

Metadata, which means “data about data.” The metadata determines what an object is and how it is defined. In other words, the metadata knows that user accounts may have qualities of user name, password, physical address, phone number, and so forth—not qualities such as one-sided, staple, color, and sort.

Every object has attributes, and every object belongs to a class as well. Classes are also a part of the metadata that also help define objects.

Each object belongs to at least one class, and each class belongs to a specific category of classes, which are as follows:

✦ Structural—All directory objects belong to classes that are structural. This means that structural classes can have instances in the class, such as in the User class.

✦ Abstract—An abstract class is a template that is used to create new structural classes. Objects do not belong to abstract classes, but abstract classes do contain attributes they provide to other classes.

✦ Auxiliary—Auxiliary classes contain lists of attributes and help define structural and abstract classes.

There is also a special 88 class category that is used for backward compatibility for classes that do not fall under one of these three specifications. 88 classes were defined before the 1993 X.500 standards.

There is only one schema per Active Directory forest, so when you modify the schema, you modify it for your entire enterprise.

Active Directory Services Interface (ADSI) Editor is an Active Directory editor that enables you to add, move, and delete objects as well as view and manage attributes for objects. ADSI is also used to query the Active Directory and define query scopes.

IntelliMirror – Active Directory, Group Policy, Offline Files, Synchronization Manager, Disk Quotas, Roaming User Profiles, Windows Installer, Remote Installation Services.

Service Location Records (SRV) are DNS resource records that map Windows 2000 servers that run the DNS service. Each server maintains a list of SRV records for the domain or zone in which the server resides. SRV records are used to find domain controllers

Zone is a contiguous portion of the DNS namespace that is segmented for management purposes. Within that zone, there is a primary DNS server that holds the primary zone database file. All other servers are provided for load balancing and contain a copy of the primary zone database file called the secondary zone database file. The primary zone database file is the only writable version, so all updates are made to the primary zone database file and replicated to the secondary zone database files through a process called zone transfer.

An authoritative restore enables you to restore an Active Directory backup and to prevent the restored changes from being overwritten due to domain controller replication. In fact, an authoritative restore marks the restore job as authoritative and its data is replicated to other domain controllers, overwriting their existing data.

Use the NTDSUTIL command-line utility to perform an authoritative restore.

Synchronization Manager works with offline files to ensure that a cached copy of a file is synchronized with the server’s copy when the user reconnects to the network.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Sites and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.