Active Directory

The Windows 2000 Active Directory is a large topic and I'll have to break it down into pieces if I have to cover it all here. I can even create a whole website dedicated to Active Directory issues, features and suggestions. To begin with, let me just say that Windows 2000 domains require a domain controller where all the user accounts and passwords are stored. This is the simplest function of a domain controller. The Windows 2000 domain controller features new enhancements that allow it to contain DNS Zones, maintain a directory or shared folders and printers, and provide a multi-master replication model where each domain controller maintains a writeable copy of the Active Directory.

Within a domain	Within a workgroup
Within a domain, you have more control over the security options than in a workgroup

For importing user accounts, Windows 2000 provides 2 utilities, CSVDE and LDIFDE.

1. Open a text file and type in the first line as the attribute line. The attributes you can use are:
   
   

   Attribute	Example
   DN	cn=NiCk Rogers,ou=TechnoBuds,dc=evolution,dc=net
   objectClass	user
   sAMAccountName	nrogers
   userPrincipalName	nrogers@evolution.net
   displayName	NiCk Rogers
   userAccountControl	512 (512 enables the account, 514 disabled the account)



2. On the following lines, enter the values for the attributes that you have used in exactly the same order and save the file
3. Go to the command line and type:
   csvde -i -f filename

1. Open a text file and type in the entries in the format:
   Attribute = Value
2. Save the file
3. Go to the command line and type:
   ldifde -i -f filename

Within a domain, 3 types of groups are commonly used: Domain Local Groups, Global groups, Universal Groups

Publishing Resources:

• Create Objects in the Active Directory that
  • Contain the required information
  • Provide a reference to the required information
• That do not already exist in the Active Directory
• That are relatively static and change infrequently
• To enable administrators and users to locate resources even if the physical location of the resources change

• Any printer shared by a print server running Windows 2000 that has an account in the Active Directory is automatically published into the Active Directory.
• If a printer is removed from the network, its published counterpart is automatically removed from the Active directory.
• When you modify or configure the printer's properties, Windows 2000 automatically updates the published printer object's attributes in the Active Directory

1. Open the Active Directory Users and Computers management console, and right-click on the container where you want to publish the printer.
2. Point to New and click on Printer
3. Type the Universal Naming Convention(UNC) name of the printer that you want to publish Eg.\\Server1\EpsonC680

• pubprn.vbs server "LDAP://OU=Sales,DC=contoso,DC=msft"     OR
• pubprn.vbs \\server\printer "LDAP://OU=Sales,DC=contoso,DC=msft"

Using Printer Locations requires the network to have the printers located on subnets based on their physical location. It also requires the printer locations to be in the form USA/Seattle/Location8/BuildingA/Block3/FloorM/Printer1. Provided that these requirements are met, printers can be published into the Active Directory and the users can search for printers nearest to them

1. A user logs on, providing the required security credentials, including user name, password, and domain name. These credentials are passed to the security subsystem on the local compuer.
2. The local subsystem uses DNS to locate a domain controller in the user's domain. The security subsystem then contacts the Kerberos service, called the Key Distribution Center, running on the domain controller, and requests a session ticked for the user to comunicate with the Kerberos service. A ticket is a record that allows a client computer to authenticate itself to a server. the Kerberos service queries Active Directory to auhenticate the user and contacts a global catalog server to obtain the user's universal group memberships. The Kerberos service then returns a session ticket to the client computer that contains the user's SID and the user's universal, global, and domain local group memberships, which are used for future transactions with the Kerberos service.
   Evey domain controller in the domain runs the Kerberos service and is capable of granting session tickets for users and computers. If a domain controller is not available, domain authentication fails and the user is logged on by cached logon credentials at the client computer. The client computer periodically attempts to locate the Kerberos service during the user's session, and will complete the domain authentication process if one is found.
3. The local security subsystem again contacts the Kerberos service on the domain controller and requests another session ticket authorizing the user to gain access to the Workstation service on the client computer to complete the user logon process. This request includes a copy of the user's session ticket that the Kerberos serivice uses to identify the user.
4. The Kerberos service authenticates the user's ticket by querying the Active Directory and the global catalog server to verify the information contained in the user's session ticket. The Kerberos service then constructs a Workstation session ticket for the user that contains the validated security credentials copied from the user's original ticket, and returns the session ticket to the client computer.
5. The local security subsystem on the client computer extracts the user's SID and universal, global, and domain local group memberships from the Workstation session ticket. The subsystem then constructs the user's access token by adding the SIDs for local groups to which the user belongs and a list of the local user rights assigned to the user.
6. The local computer creates a process with an access token attached. The access token is used to authenticate the user and serves as an identity card whenever the user attempts to use system resources.

A network logon occurs when a user establishes a network connection to a remote computer running Windows 2000, for example, when connecting to a shared folder. The authentication process is very similar to that of an interactive logon process.

The client computer obtains a server session ticket from the Kerberos service running on a domain controller in the user's domain. The client computer then sends the server session ticket to the local security's subsystem on the server, which extracts the user's security credentials and constructs an access token for the remote user. This access token is used to authenticate the user whenever a resource on the server is accessed.

Secondary logon provides the ability to start and run an application by using the security credentials of another user without ending a session already in progress. For example, you can run administrative tools while logged on with a standard user account.

The maintenance of the DNS infrastructure is essential for a successful Active Directory implementation. The Active Directory uses the DNS name space and the clients use the SRV(service) records created in the DNS to locate the domain controllers.

The Active Directory shares its name space with the DNS

1. A search for a domain controller is initiated by a log on or Active Directory search
2. The NetLogon service collects client information - ComputerName, DomainName, SiteName
3. The NetLogon service sends a query to the DNS service with the client information
4. The DNS server returns a list of IP addresses for the domain controllers
5. The client contacts the domain controllers using these IP addresses
6. The domain controllers respond to the client request

How computers user DNS to locate domain controllers

After the installation of the Active Directory, the DNS zones can be integrated into the Active Directory. This provides the following advantages:

1. Stored primary zones in the Active Directory therefore the DNS database is automatically replicated whenever the Active Directory is replicated. This eliminates the need to manage the replication of the DNS database and the Active Directory database separately.
2. Enables secure dynamic updates to the DNS database. This prevents unauthorized computers from adding records to the DNS database.
3. Eliminates a primary DNS server as a single point of failure as every copy of the Active Directory-integrated zone is writable, unlike the primary-secondary server model where only the primary server maintains a writable copy and all the secondary servers maintain a read-only copy of the DNS database to which changes are copied from the primary server (in older DNS servers, the entire database had to be copied whenever any update occurred to the primary DNS server. A feature called incremental zone transfer or IXR was then added to allow the primary DNS server to send only the changes to the secondary DNS servers).

If you choose to use a 3rd party DNS server rather than the DNS server supplied with Windows 2000, you have to make sure that it is capable of supporting the Active Directory. The following are the requirements for installing the Active Directory:

• Support for Service(SRV) records (RFC 2052)
• Support for the dynamic update protocol (RFC 2136)
• Support for incremental zone transfer (RFC 1995)

The Active Directory arranges domains according to their naming. For example, if microsoft.com is the root tree domain, support.microsoft.com will be a domain in that tree. Another domain contoso.msft will start a new namespace and therefore belongs to a new tree. Both these trees can be places into a single forest if a transitive two-way trust is to be maintained.

To promote a server to a domain controller, run the dcpromo utility from the run dialog box or the command prompt. If a DNS server supporting Dynamic updates is not found, the Active Directory installation wizard prompts to setup a DNS server with a primary forward-lookup zone.

An unattended installation of the Active Directory can also be performed by using an answer file. The answer file is them provided to the dcpromo utility by typing it as: dcpromo /answer:answer file
An answer file for the Active directory Installation wizard contains only one section, [DCInstall]. Each operation in th wizard requires values for specific parameters in the [DCInstall] section of the unattended file. Default values are used if a value for a parameter is not specified.

The Active Directory installation wizard also sets the following services to start automatically:

• Remote Procedure Call (RPC) Locator: This service allows distributed applications to use the RPC name service. The RPC Locator service manages the RPC name service database.
• Net Logon: This service runs the Domain Controller Locator service. The Net Logon service is also responsible for creating a secure channel between client computers and domain controllers during logon, and for registering SRV resource records in DNS.
• KDC (Key Distribution Center): This service maintains a database with account information for all security principals in its realm, which is the Kerberos V5 authentication protocol equivalent of a Windows 2000 domain.
• Intersite Messaging (ISM): This service is used for mail-based replication between sites.
• Distributed Link Tracking Server: This service helps resolve shortcuts and OLE links to NTFS-resident files that have had their names changed, paths changed, or both.
• Windows Time: This service synchronizes clocks between client computers and servers that run Windows 2000.

• Examining the DNS database to ensure that the required SRV resource records were created.
• Ensuring that SYSVOL has been properly created and shared.
• Verifying that the Active Directory database and log files were created - ntds.dit(directory database), edb.*(transaction logs and checkpoint files), res*.log(reserved log files).
• Examining the Event logs(System Log, Directory Service, DNS Server, File Replication service) for any errors generated during the installation.