Thursday, April 30, 2009

Active Directory Partitions

Schema partition
Configuration partition
Domain partition
Application partition

Each partition is a unit of replication, and each partition has its own replication topology. Replication occurs between replicas of directory partition. Minimum two directory partitions are common among all domain controllers in the same forest: the schema and configuration partitions. All domain controllers which are in the same domain, in addition, share a common domain partition.

Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a forest. The schema partition contains definitions of all objects and attributes that you can create in the directory, and the rules for creating and manipulating them. Schema information is replicated to all domain controllers in the attribute definitions.

Configuration Partition
There is only one configuration partition per forest. Second on all domain controllers in a forest, the configuration partition contains information about the forest-wide active directory structure including what domains and sites exist, which domain controllers exist in each forest, and which services are available. Configuration information is replicated to all domain controllers in a forest.

Domain Partition
Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given domain. A domain partition contains information about users, groups, computers and organizational units. The domain partition is replicated to all domain controllers of that domain. All objects in every domain partition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition
Application partitions store information about application in Active Directory. Each application determines how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to specific application partitions, you can designate which domain controllers in a forest host specific application partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as user accounts. In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is integrated with Active Directory you have two application partitions for DNS zones --

ForestDNSZones and DomainDNSZones:
ForestDNSZones is part of a forest. All domain controllers and DNS Server in a forest receive a replica of this partition. A forest-wide application partition stores the forest zone data.

DomainDNSZones is unique for each domain. All domain controllers that are DNS servers in that domain receive a replica of this partition. The application partitions store the domain DNS zone
in the DomainDNSZones.

Each domain has a DomainDNSZones partition, but there is only one ForestDNSZones partition. No DNS data is replicated to the global catalog Server.

Thursday, April 23, 2009

Windows Server 2008 - New Active Directory Features

New developments for Active Directory in Windows Server 2008, include a Read-only domain controller (RODC), reducing domain controller reboots, and separating the domain administrator from the local machine administrator accounts.

Windows Server 2008 Active Directory Topics
The Five Active Directory Roles
How to Install an Active Directory Role
Read-only Domain Controller (RODC)
Re-startable AD
STS (Security Token Service)
DC (Domain Controller) / Domain Admin Separation

The Five Active Directory Roles
While 'Role' is normally such an insignificant word, in Windows Server 2008 Microsoft have elevated 'Role' to a the status of a keyword. The most important association for the word 'Role' is to invoke the correct installation wizard, who then installs all the necessary sub-components associated with that role.

1) AD DS - Active Directory, Directory Services.
This is the main Active Directory database for user and computer objects. AD DS is a descendant of Active Directory in Windows 2000 --> 2003 --> 2008. Remember the two sides of AD DS, the physical data store and the logical, forest, domains, OUs and sites.

2) AD CS - The Certificate Services (CS) specializes in managing digital certificates (PKI). Security is the key, the idea is to protect data in these scenarios: S/Mime for email, SSL for websites, smartcard logon via VPN and for encrypting files (EFS). Naturally, integrates with the above AD DS.

3) AD RMS - Rights Management Solution. Can be used to protect documents sent in emails. Users must first have an AD DS account. Services using RMS must also be registered in Active Directory.

4) AD FS - Federation Services
Federation manages trust relationships between different organizations. Also provides single sign on for web based applications, for example, online retailers.

5) AD LDS - Active Directory Lightweight Directory Services
This is like the ADAM (Active Directory Application Mode) service of Windows Server 2003. Only use AD LDS for applications that cannot use the regular AD DS, for example where there are security worries, or you just need to test LDAP features. Unlike the other roles, AD LDS is an alternative to the main Active Directory and not an extension.

How to Install an Active Directory Role
Firstly, with Active Directory you always need to plan. I am assuming that you have installed a member server. Now is the time to ask smart questions such as, 'Is this a brand new forest?' or, 'Is this an additional domain controller in an existing domain'.
Secondly, the mechanics are easy. The new method of installing active directory in Windows Server 2008 is to use 'Add roles'. For this feature, call for the Server Manager and then scroll down to 'Add roles'.
The Active Directory wizard will guide you through all the options so that you can make smart choices for your situation. New choices include, specifying a DNS server, setting the server as a Global Catalog, selecting the Read-only Domain Controller option. At his time you may also want to select a site for your DC, and more importantly, set the Function Levels for the domain, or even the entire forest.
If you are familiar with command line program called dcpromo, then you will be used to the planning tree, new domain / child domain /new forest. Just go to the command line as you did in Windows Server 2003 and type dcpromo.
Be aware that you can still create answer files for dcpromo. This is useful if you are creating multiple domain controllers with similar specification.

Read only Domain Controller (RODC)
The goal of a Read-only DC (RODC) is to reduce physical security requirements and simplified local operations. At first sight this sounds like a return to the BDC. While this indeed is a read-only copy of the Active Directory database, its rationale is different from the old NT 4 BDC. The RODC philosophy is don't install features that a small office does not require.

All the features that Microsoft have put into a read-only DC is to turn their vision of a branch office model into reality. The model requires that of local domain controller that can service users' logon requests, but without the need for an administrator out at the branch. A read-only DC, which can authentication clients from it's own site, is much less vulnerable to attack from hackers.
One crucial decision is how to control password caching on the RODC. The benefits of caching are clear, faster second and subsequent logons and the ability to logon if the WAN link to the normal Domain Controllers is down. However, there is a security liability of caching the password of important accounts, for example the Administrator or your Financial Director. Your biggest security worry with the RODC is if it was stolen, what could a hacker do with unlimited time to crack cached accounts and passwords in the SAM database.
As usual, Microsoft have thought through the problem and come with the answer in the form of a Password Replication Policy. In a nutshell this policy determines which accounts can have their password's cached.
When you setup the RODC, specify which account passwords to allow or deny from being cached on an RODC. This configuration page appears only if you select the 'Use advanced mode installation' check box.

Re-startable AD (Active Directory)
Windows Server 2008's re-startable AD will continue the trend to reduce domain controller reboots. This restart facility is particularly welcome after you apply security updates to Domain Controllers. Re-startable Active Directory is implemented as a normal Windows service that can be stopped and started as required. Not only will this reduces the need for reboots, but it also it simplifies offline actions such as defragging the AD database.
The secret to restarting Active Directory is to remember that it has a corresponding service, which you can start and stop via the Computer Management snap-in.
You may wish to check which services depend on AD DS to function. The best way to check these dependencies is to right-click Active Directory Domain Services, and then click Properties. Incidentally, all the dependent services stop first. Then Windows Server 2008 stops the AD DS.

STS (Security Token Service)
Windows Server 2008 will add a new service to Active Directory called a Security Token Service (STS), that integrates authentication and authorization in a manner that simplifies access management. The Security Token Service extends the capabilities introduced with ADFS (Active Directory File System) to include support for smart clients, 'InfoCards,' and privacy support, In addition, STS will integrated resource discovery and management. For example, using the STS, customers will be able to automatically find application resources and operations, and provide granular access control for these operations.

DC (Domain Controller) / Domain Admin Separation
In Windows Server 2008 Server there will be a DC (Domain Controller) Admin and a separate Domain Admin. This means the DC Admin will not automatically have all privileges in the domain. You will see a new user group called DC Admin. The DC Admin will be able to login to the domain controllers but they will not be automatically granted domain administrator privileges.

Other new features of Server 2008 Active Directory
Install a DC as a Server Core: and thus minimize surface area

Wednesday, April 22, 2009

Difference Between Domain and Workgroup a Network

  • Client-Server Architecture...Peer-to-peer Architecture
  • Centralized Management & Administration
    De-Centralized Management & Administration
  • Domain Login (Centralized)....Local Login (De-Centralized)
  • Implemented where Security is more important....Implemented where resource sharing is more important
  • A copy of Active Directory is present i.e. A domain controller is present in a Domain Network Active Directory is not present in a Workgroup network
How a network transmits data

To view a Web page, the user opens a Web browser, such as Internet Explorer, and enters a Web address, such as

The computer translates the Web address into an Internet Protocol, or IP address.

TCP/IP adds the hardware address of the default gateway and sends the data to the computer’s network interface card. In this example, the default gateway is an asymmetric digital subscriber line (ADSL) router, but it can also be a cable modem or a dial-up analog modem.

The network interface card sends the data in single or multiple packets over a wired or wireless network. In this example, the ADSL router is connected directly to the Internet through your Internet service provider (ISP).

TCP/IP sends the data, or network packet, to the local computer’s network interface card, which then passes the packet to the ADSL router. The ADSL router retrieves the packet and passes it to TCP/IP.

TCP/IP examines the packet and decides where to send the data next. TCP/IP replaces the hardware address with the hardware address of the next router and passes the data to the network interface card for transmission on the network.

The data may pass through several routers before it reaches the destination host, or Web server. At every router, the packet is examined and TCP/IP decides where to send the data next.

When the packet reaches the Web server, the application retrieves the requested data (in this case, the Web page) and sends it back to the requesting computer.

The network interface card on the computer receives the data and passes the information to TCP/IP. TCP/IP examines the packet and passes the data to Internet Explorer, which then displays the page. In this example, the computer and ADSL router represent a local area network, or LAN, because they are physically close together.

The Internet is an example of a wide area network, or WAN, because the routers on the Internet typically connect different networks that are geographically separated. In an office environment, when a user requests a Web page, the packet may pass through several hubs, switches, or routers on the office LAN before it reaches the Web server on the Internet.

The network initialization process

When Windows Vista starts, the Windows Firewall initializes before the computer connects to the network. This arrangement helps protect the computer from attackers.

During startup, the operating system initializes the network interface card (NIC) and assigns unique IPv4 and IPv6 addresses.

Windows Vista requests a DHCP address lease and obtains the address of a DNS server, if configured on the DHCP server.

Windows Vista then registers this IP address with the computer's name and domain on the network.

The operating system requests the Media Access Control (MAC) address for the DNS server's IP address.

Windows Vista sends a DNS service (SRV) query and a corresponding address (A) query for a domain controller in the computer's domain.

The operating system then sends the domain controller an LDAP request for a suitable network logon point. Typically, the domain controller responds with its own name.

Windows Vista then uses TCP and remote procedure calls (RPCs) to bind to that domain controller.

The client computer uses Network Time Protocol (NTP) to synchronize its clock with the domain controller because Kerberos version 5 authentication requires time synchronization.

The client computer and the domain controller now conduct Kerberos negotiation, falling back to NTLM if unsuccessful. If successful, the server responds with a Kerberos ticket.

Windows Vista then makes a server message block (SMB) connection to the server, trying SMB 2.0 first, and reverting to SMB 1.0, if unsuccessful.

Windows Vista binds to the domain controller's SYSVOL share and applies the computer element of any relevant group policies. These policies can include changes to the firewall settings.

The network initialization process is now complete.

Features OF Read-Only Domain Controller (RODC)

A Read-Only Domain Controller (RODC) is a new type of domain controller in Windows Server 2008. Its main purpose is to improve security in office branches. In this post, I summarize the functionality of RODC.

In office branches, it is often not easy to provide sufficient physical security for servers. It is not a big deal to manipulate a Windows system if you can get physical access to it. Since Domain controllers store security sensitive data, they are particularly endangered. RODCs can help with this problem in four ways:

RODC essentials
Read-only feature: An intruder on the RODC can’t manipulate the Active Directory database.
DNS protection: If the RODC server hosts a DNS server, the intruder won’t be able to tamper with the DNS data.

Password protection: A malicious user won’t be able to access passwords using a brute-force-attack. This applies only if password caching is disabled on the RODC.

Administrator Role Separation: You can delegate a local Administrator role to a domain user.

Read-only Domain Controller
An RODC holds all Active Directory objects and attributes.
RODCs only support unidirectional replication of Active Directory changes (i.e., from the forest to the RODC). If an application needs write access to Active Directory objects, the RODC will send an LDAP referral response that redirects the application to a writable domain controller.

DNS Protection
A DNS server running on an RODC doesn’t support dynamic updates.
If a client wants to update its DNS record, the RODC will send a referral for a writeable DNS server. The client can then update against this DNS server.
This single record will then be replicated from the writable DNS server to the RODC DNS server.
Password Protection
By default, an RODC doesn’t store user or computer credentials. (The only exception is the computer account of the RODC itself and a special krbtgt account.)
However, an RODC can cache passwords. If a password isn’t cached, the RODC will forward the authentication request to a writeable DC. The Password Replication Policy determines the user groups for which passwords caching will be allowed (more about this in my next post).

Administrator Role Separation:
A domain user having the Administrator role on an RODC doesn’t have to be a domain admin.
A domain user having the Administrator role can do maintenance work on the RODC such as installing software. If an intruder gains access to the credentials of this local administrator account, he will not be able to make changes on other domain controllers.