hakers.info

Active Directory:

Overview: Active Directory(AD) is a directory Service created  by Microsoft. Active Directory provides the means to manage the identities and relationships that make up the organization’s network. Active Directory gives you out-of-the-box functionality needed to stores all information and settings for a deployment in a central database and allows administrators to assign policies, deploy and update software.

Active Directory uses a number of standardized protocols to provide a variety of network services, including:

• Lightweight Directory Access Protocol LDAP, the industry standard directory access protocol, compatible with many management and query applications. Active Directory supports LDAPv3 and LDAPv2.
• Optional Kerberos-based authentication.
• DNS-based naming and other network information.

Active Directory Benefits:

• Integration with DNS:  Active Directory uses the Domain Name System (DNS). DNS is an Internet standard service that translates human-readable computer names (such as mycomputer.microsoft.com) to computer-readable numeric Internet Protocol (IP) addresses (four numbers separated by periods). This lets processes running on computers in TCP/IP networks identify and connect to one another.
• Flexible querying:  Users and administrators can use the Search command on the Start menu, the My Network Places icon on the desktop, or the Active Directory Users and Computers snap-in to quickly find an object on the network using object properties. For example, you can find a user by first name, last name, e-mail name, office location, or other properties of that person’s user account. Finding information is optimized by use of the global catalog.
• Extensibility:  Active Directory is extensible, which means that administrators can add new classes of objects to the schema and can add new attributes to existing classes of objects. The schema contains a definition of each object class, and each object class’s attributes, that can be stored in the directory. For example, you could add a Purchase Authority attribute to the User object and then store each user’s purchase authority limit as part of the user’s account.
• Policy-based administration:  Group Policies are configuration settings applied to computers or users as they are initialized. All Group Policy settings are contained in Group Policy Objects (GPOs) applied to Active Directory sites, domains, or organizational units. GPO settings determine access to directory objects and domain resources, what domain resources (such as applications) are available to users, and how these domain resources are configured for use.
• Scalability:  Active Directory includes one or more domains, each with one or more domain controllers, enabling you to scale the directory to meet any network requirements. Multiple domains can be combined into a domain tree and multiple domain trees can be combined into a forest. In the simplest structure, a single-domain network is simultaneously a single tree and a single forest.
• Information Replication:  Active Directory uses multimaster replication, which lets you update the directory at any domain controller. Deploying multiple domain controllers in one domain provides fault tolerance and load balancing. If one domain controller within a domain slows, stops, or fails, other domain controllers within the same domain can provide necessary directory access, since they contain the same directory data.
• Information security:  Management of user authentication and access control, both fully integrated with Active Directory. Active Directory centralizes authentication. Access control can be defined not only on each object in the directory, but also on each property of each object. In addition, Active Directory provides both the store and the scope of application for security policies.
• Interoperability: Because Active Directory is based on standard directory access protocols, such as Lightweight Directory Access Protocol (LDAP), it can interoperate with other directory services employing these protocols. Several application programming interfaces (APIs) -such as Active Directory Service Interfaces (ADSI)-give developers access to these protocols.

Structure: Active Directory has a hierarchical structure that consists of various components which mirror the network of the organization. The components included in the Active Directory hierarchical structure are listed below:

• Objects
• Sites
• Schema
• Domains
• Domain Trees
• Forests
• Organizational Units (OUs)
• Domain Controllers
• Global Catalog

Objects:  An Active Directory structure is a hierarchical arrangement of information about objects. The objects fall into two broad categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes. Certain objects can contain other objects. An object is uniquely identified by its name and has a set of attributes—the characteristics and information that the object represents— defined by a schema, which also determines the kinds of objects that can be stored in Active Directory.

Each attribute object can be used to define multiple schema objects. The schema object allows the schema to be extended or modified when necessary. However, because each schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can fundamentally change and/or disrupt a deployment. Schema changes automatically propagate throughout the system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires planning.

Sites:  A Site object in Active Directory represents a geographic location that hosts networks. Sites contain objects called Subnets.

Schema: The schema is a description of the object classes (the various types of objects) and the attributes for those object classes. For each class of object, the schema defines the attributes that object class must have, the additional attributes it may have, and the object class that can be its parent. Every Active Directory object is an instance of an object class. Each attribute is defined only once and can be used in multiple classes. For example, the Description attribute is defined once but is used in many different classes.

The schema is stored in Active Directory. Schema definitions are themselves also stored as objects-Class Schema objects and Attribute Schema objects. This lets Active Directory manage class and attribute objects in the same way that it manages other directory objects.

Domains:  Objects are grouped into domains. The objects for a single domain are stored in a single database (which can be replicated). Domains are identified by their DNS name structure, the namespace.

Domain  Trees: A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive trust hierarchy.

                Figure:  Parent and child domains in a domain tree. Double-headed arrows indicate two-way transitive trust                                               relationships

Forests: A forest is a collection of trees that share a common global catalog, directory schema, logical structure, and directory configuration. The forest represents the security boundary within which users, computers, groups, and other objects are accessible.

Figure: One forest with three domain trees. The three root domains are not contiguous with each other, but EuropeRoot.com              and AsiaRoot.com are child domains of HQ-Root.com.

 

Trust Relaionships: A trust relationship is a relationship established between two domains that allows users in one domain to be recognized by a domain controller in the other domain. Trusts let users access resources in the other domain and also let administrators administer user rights for users in the other domain.

• Two-way Trust: When you create a new child domain, the child domain automatically trusts the parent domain, and vice versa. At the practical level, this means that authentication requests can be passed between the two domains in both directions.
• Transitive Trust: A transitive trust reaches beyond the two domains in the initial trust relationship. Here is how it works: If Domain A and Domain B (parent and child) trust each other and if Domain B and Domain C (also parent and child) trust each other, then Domain A and Domain C trust each other (implicitly), even though no direct trust relationship between them exists. At the level of the forest, a trust relationship is created automatically between the forest root domain and the root domain of each domain tree added to the forest, with the result that complete trust exists between all domains in an Active Directory forest. At the practical level, because trust relationships are transitive, a single logon process lets the system authenticate a user (or computer) in any domain in the forest. This single logon process potentially lets the account access resources on any domain in the forest.

Note, however, that the single logon enabled by trusts does not necessarily imply that the authenticated user has rights and permissions in all domains in the forest.

• External Trust: External trusts enable user authentication to an external domain. All external trusts are one-way non-transitive trusts. Again, you can combine two one-way trusts to create a two-way trust relationship.

               

Figure: One-way external non-transitive trust

Organizational Units(OUs):

An organizational unit (OU) is a container that is used to logically organize and group Active Directory objects within domains. OUs are not part of the DNS namespace. They are used to organize Active Directory objects into logical administrative groups. OUs therefore serve as containers in which you can create and manage Active Directory objects. OUs are considered the smallest unit to which an Administrator can assign permissions to resources within Active Directory.

An OU enables you to apply security policies, deploy applications, delegate administrative control for Active Directory objects, and to run scripts. An important thing to understand is that OUs are not security principals. The user accounts, group accounts, and computer accounts within the OUs are security principals.

A few benefits of OUs are :

• OUs can be nested to support different levels of hierarchy.
• Each domain in the Active Directory environment can have its own OU structure. The OU structure of one domain is independent of another domain’s OU structure.
• It is fairly simple to change an OU structure. OU structures are much more flexible than domain structures.
• OU configuration settings can be inherited by objects in child OUs.
• Group Policy settings can also be applied to OUs.
• You can delegate administrative control of Active Directory objects through OUs.

Domain Controller:  A domain controller holds a replica of the Active Directory directory for the domain to which it belongs. It is also responsible for managing that directory.

• The domain controller is responsible for replicating all changes made to their Active Directory replica to the remainder of the domain controllers within the domain. The default replication setting is that domain controllers in a site replicate changes made to its replica of Active Directory to all domain controllers within the domain each 15 minutes. You can control the amount of replication traffic that is generated within your Active Directory environment by specifying how often replication should occur.
• Domain controllers also manage access to network resources in the domain. They locate Active Directory objects, authenticate access to these objects, validate user logon attempts, and authenticate user passwords. User account changes such as an account being disabled is immediately replicated by the particular domain controller to all domain controllers within the domain.
• Domain controllers track user account information through Security Identifiers (SIDs). a user attempts to log on to the system, a request to authenticate the user is sent to each domain controller within the domain. The user is authenticated via Kerberos security after a domain controller is located and a secure connection is established. Authentication is based on the user providing a username and password that correspond to those in the Active Directory database. The session information, or access token of the account is stored in memory. This includes rights and group membership details. When the user attempts to access network resources, the access token and the permissions of the resource are compared to ascertain what access is permitted to the network resource.
• Multiple domain controllers provide fault tolerance in your Active Directory environment. In the Windows NT domain model, no changes could be made to the domain database when the primary domain controller was unavailable. With Active Directory, because domain controllers function as peers to one another, changes can be made to the Active Directory database from any domain controller in the domain. When a domain controller is unavailable, the remainder of the domain controllers continue to provide access to network resources.
• Domain controllers also integrate with network services such as DNS, DHCP, Kerberos security, and Remote Access. This in turn facilitates centralized management and security.

Global Catalog: The global catalog is a distributed data repository that is stored in global catalog servers and issued via multimaster replication. It basically is composed of a representation (partial) of every object in the multidomain Active Directory forest that can also be searched. The global catalog is used because searches can be made faster because they don’t need to go through the hassle of involving referrals to different domain controllers.

In addition, the global catalog allows finding an object that you wish without needing to know the object’s domain name. This is possible because not only does it hold a full, writable domain directory replica, but it also has a partial, read-only replica of all the domain directory partitions in the forest. Therefore, by being composed of only the most used attributes during searching, all objects in every domain in any small or big forest can be found and represented in the database of one global catalog server.

To maintain the ability to conduct a full, fast, and effective search, the global catalog is constantly updated by the Active Directory replication system. These attributes that are replicated to the catalog are known as partial attribute set (PAS).

 

 

How Does It Work?

• As an example, if a user decides to search for all printers within the forest, a global catalog server will process the request submitted by the user by searching through the global catalog, and then output the results. Had it not been for the global catalog server, the user would have had to have searched separately in every forest.
• When a user tries to run a certain query (an example of an interactive domain logon), the domain controller will authenticate the user by first validating the user’s identity and also all groups that the user is a part of. This is because the global catalog is the hold of all memberships to all groups, which means that this access to a global catalog server is necessary to accessing all forests, and thus is a requirement for Active Directory authentications. Therefore, it is best to have at least one global catalog server in one Active Directory site. This is because then, the authenticating domain controller does not need to transmit queries over a WAN connection to source information and process tasks.

Ports Commonly Used by Global Catalog Servers:

Service Name	UDP	TCP
LDAP		3268(Global Catalog)
LDAP		3268(Global Catalog SSL)
LDAP	389	389
LDAP		636(SSL)
RPC/REPL		135(End Point Mapper)
Kerberos	88	88(Global Catalog)
DNS	53	53
SMB over IP	445	445