Windows.NET Beta 3 Active Directory New Features

(1)

Windows.NET

_{Beta 3}

Active Directory New Features

Windows.NET

_{Beta 3}_{Beta 3}

Active

Directory New Features

Wolfgang Werner Compaq Decus Bonn 2002 Wolfgang Werner Compaq Decus Bonn 2002

Agenda

Install Replica from Media Domain Controller Rename

Domain Rename

Universal Group Membership Caching

Linked Value Replication

Forest Trusts

Application Directory Partitions

Defunct Schema Objects

(2)

Install Replica from Media

Install Replica from

Media

Problem: Installing a Domain Controller at a site with slow network connection

Windows 2000 replicates a complete copy of the Active Directory database and possibly the

Global Catalog over the network 1

Install Replica from Media

Install Replica from

Media

Windows.NET Server allows loading the Active Directory database from a backup of an existing Domain Controller or Global Catalog server

– Backup the system state of an existing DC

(3)

Install Replica from Media

Install Replica from

Media

Run DCPROMO in Advanced Mode

– DCPROMO /ADV

Install Replica from Media

Install Replica from

Media

Network connectivity still required for up-to-date information

– Changes in the AD databases and SYSVOL folder updates are replicated over the network Restrictions

– The backup cannot be older than the tombstone lifetime (default 60 days)

(4)

Agenda

Install Replica from Media

Domain Controller Rename Domain Rename

Forest Trusts

InetOrgPerson

Domain Controller Rename

Domain Controller

Rename

Windows 2000 a domain controller (DC) can't be renamed

In Windows.NET DCs can be renamed without being demoted first

(5)

Domain Controller Rename

Domain Controller

Rename

No Explorer like features

Procedure:

– Add a new name

– Wait for the new name to propagate through the network

– Remove the old name

Domain Controller Rename

Domain Controller

Rename

Add new name

– NETDOM COMPUTERNAME oldname /ADD:newname

Wait for replication of

– DNS host (A) records

(6)

Domain Controller Rename

Domain Controller

Rename

Update computer account in AD

–

NETDOM COMPUTERNAME oldname

/MAKEPRIMARY:newname

Reboot

Wait for the replication of the DNS Locator resource records

– Defined in system32\config\netlogon.dns

Domain Controller Rename

Domain Controller

Rename

Remove old name

– NETDOM COMPUTEENAME newname /REMOVE:oldname

– Removes old DNS host (A) records

– Removes the old name in Active Directory Change "Computer Name" in System Control

(7)

Domain Controller Rename

Domain Controller

Rename

Moving DCs between domains was planned but will not be implemented

Certification Authorities can not be renamed

DNS and Active Directory replication latency may cause a temporary inavailability

Agenda

Domain Controller Rename

Domain Rename

Forest Trusts

(8)

Renaming Domains

R

enaming

D

omains

Change the DNS and NetBIOS names

– of the forest-root domain

– any tree-root domains

– any parent and child domains

Restructure a domain's position within a forest

Renaming Domains

R

enaming

D

omains

No Pruning and Grafting capabilities

Windows.Net Help and Support:

"A domain rename will affect every domain controller in your forest and is a thorough multi-step process that requires a detailed understanding of the operation"

Resources from

http://www.microsoft.com/windows2000/downloads/tools/ domainrename/default.asp

– Understanding How Domain Rename Works (28 pages) – Step-by-Step Guide to Implementing Domain Rename (69

pages)

(9)

Renaming Domains

R

enaming

D

omains

Identity of the forest root domain cannot be changed

If Exchange 2000 is deployed in the same forest domain rename is blocked

Each domain controller in the forest will be out-of-service briefly

All Domain Controllers in the forest that where

unreachable during the operation or finished in the Error state must be demoted

Any external trust relationships must be re-established

...

Agenda

Domain Rename

Universal Group Membership Caching Linked Value Replication

Forest Trusts

(10)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

In Windows 2000 a Global Catalog Server is

required for logging on to a domain

– To determine the users membership in universal groups

– If no local GC is available a server in the remote site will be used

Recommendation: at least one GC per site

– Adds replication traffic

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

If no Global Catalog is available:

– If the user is an administrator logon succeeds

– If only a Domain Controller is available the user fails to log on to the workstation

(11)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

Workaround in Windows 2000:

HKLM\System\CCS\Control\Lsa\ IgnoreGCFailures 1

Q241789 How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons

Potential security vulnerability if universal groups are also used

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

Windows.NET adds the ability to cache the

Universal Memberships of the users

Enabling this caching process is done on a Site-by-Site basis

(12)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

The DC will use the cached information even if a

GC is available

Cache is updated in eight-hour intervals (default)

– This caching mechanism may allow stale data Cached data expires from lack of use

– No logon in 180 days (default)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

To adjust the default refresh interval

HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Refresh Interval

DWORD in minutes

To adjust the default expiration time period HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Site Stickiness

(13)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

msDS-Cached-Membership single valued

attribute added to the user object

– Stores the SIDs of the Universal Groups to which the user belongs

– To populate the attribute the DC must contact a GC when a user first logs on

– Not replicated between Domain Controllers

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

No GUI to control an update of the cached

msDS-Cached-Membership attributes

Use ADSI

(14)

Universal Group Membership Caching

Universal

G

roup

M

embership

C

aching

To diagnose Group membership caching

HKLM\SYSTEM\CCS\Services\NTDS\ Diagnostics\20 Group Caching

5 (full diagnostic)

Information is written to the Directory Service Event Log

Agenda

Domain Rename

Linked Value Replication Forest Trusts

(15)

Linked Value Replication

Novell's Claims against Active Directory (December 1999):

DID YOU KNOW that Microsoft recommends against distributed group management? MS recommends that all group membership should be done from a single

machine.

WHY? If two administrators manage an AD group (add/delete a user to/from the group) before the group COMPLETELY synchronizes to ALL AD domain controllers, changes will be lost.

Linked Value Replication

In Windows 2000 group membership is stored as a single multi-valued attribute

If the group membership is modified the complete membership attribute is replicated

– Even adding or removing a single member If membership is modified on two different DCs

simultaneously changes might be lost

Windows 2000 workaround: use only one

(16)

Linked Value Replication

Windows.NET removes this issue

– A linked-value is a pointer to other objects in the directory

– A multi-value linked-value attribute is a list of pointers to other objects in the directory

– Replication metadata is is stored in every single value of that list

– Now this single value can be replicated

Linked Value Replication

DID YOU KNOW that Microsoft recommends no more than 5000 users in an Active Directory group?

(17)

Linked Value Replication

5000 members is not a hard limit

The attribute becomes too large to be replicated in a single transaction

Windows 2000 workaround: using smaller groups to compose larger groups

Windows .NET removes the issue by only replicating updates to the group membership

Agenda

Domain Rename

Forest Trusts

(18)

Forest Trusts

Forest

T

rust

s

Windows 2000 Kerberos authentication is only forest wide

To create trusts between forests NTLM trusts between every domain in each forest must be created

Forest Trusts

Forest

T

rust

s

In Windows.NET Transitive Kerberos trust between two forests' root domains can be created

– Authorization and authentication occur transparently between the linked forests Forest trusts are targeted for companies

– Undergoing mergers or acquisitions

(19)

Forest Trusts

Forest

T

rust

s

Two-way

– All users in both forests are able to access all resources anywhere in either forest

One-way: incoming

– Only users in the first forest are able to access resources anywhere in the second forest

– Users in the second forest will not be able to access any resources in the first forest

One-way: outgoing

– Only users in the second forest are able to access resources anywhere in the first forest

– Users in the first forest will not be able to access any resources in the second forest.

Forest Trusts

Forest

T

rust

s

(20)

Forest Trusts

Forest

T

rust

s

Forest trusts can only be created between two forests

Relationship is not transitive between forests

Exchange Server still see two different organizations

No way to unify forests into one forest

– Still two Global Catalogs

– Still two Schemas

Agenda

Domain Rename

Forest Trusts

Application Directory Partitions Defunct Schema Objects

(21)

Application Directory Partitions

A naming context (also called a directory partition)

– Stores application-specific data in the Active Directory

– Used for redundancy, availability, or fault tolerance

Windows 2000: only three choices of replication scope

– Not replicated

– Domain-wide (domain naming context)

– Forest-wide (configuration naming context)

Application Directory Partitions

In Windows 2000 data may go to places where it is not used

– All application data replicated to every DC in the domain

– Every object in Active Directory is put into the GC

Inappropriate to store volatile data in DS

– Gets replicated widely

– Data may not be up to date on various domain controllers

(22)

Application Directory Partitions

In Windows.NET additional naming contexts can be created

– Used for Active Directory enabled application to store and replicate data

– Usually created by the applications that will use them – Contain any hierarchy of objects, except security principals – Replicated only to specific domain controllers in a forest – Objects not replicated to GC

Application Directory Partitions

Naming

– Part of the forest namespace

– Like domain directory partition

– Same DNS and LDAP naming conventions DNS: adp1.microsoft.com

(23)

Application Directory Partitions

Three possible placements within the forest namespace:

– A child of a domain directory partition.

– A child of an application directory partition.

– A new tree in the forest.

– Domain directory partitions cannot be children of an application directory partition

Application Directory Partitions

Ntdsutil can be used to perform various operations

– For testing and troubleshooting purposes only

– Applications will provide the utilities

(24)

Application Directory Partitions

The Knowledge Consistency Checker (KCC) automatically generates and maintains the replication topology for all application directory partitions

Replicas follow the same intersite replication schedule as the domain directory partition.

Application Directory Partitions

Example: Active Directory integrated DNS

Ability to replicate zones

– Among a given set of DNS servers of different domains dnscmd.exe (/CreateDirectoryPartition

/EnlistDirectoryPartition /UnEnlistDirectoryPartition) – All DNS servers in the forest

Default DNS application partition DomainDnsZones dnsmgmt.msc or dnscmd.exe

– All DNS servers in the forest

(25)

Application Directory Partitions

Example: List partitions with ntdsutil.exe

Agenda

Domain Rename

Forest Trusts

(26)

Defunct Schema Objects

Defunct

Schema

Objects

The directory schema describes the kinds of objects that can reside in a directory

– Allowable parent object types for an object

– Mandatory and optional attributes for an object

– Syntax for an attribute

Schema objects: classes and attributes 1

Defunct Schema Objects

Defunct

Schema

Objects

Schema additions are permanent 1

– No way back

– In both Windows 2000 and Windows.NET In Windows.NET schema objects

– Can be disabled (marked "defunct")

– Can be redefined

(27)

Defunct Schema Objects

Defunct

Schema

Objects

Redefining Schema Objects

– The object identifier and the ldapDisplayName can be reused

Example:

– Active Directory does not permit you to change the syntax of an attribute after it has been defined in the schema – Deactivate the attribute and create a new attribute that

reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax

Defunct Schema Objects

Defunct

Schema

Objects

To deactivated Schema objects set the isDefunct property to "True"

– Programmatically With the Active Directory Schema snap-in

(28)

Defunct Schema Objects

Defunct

Schema

Objects

To reactivated Schema objects set the isDefunct property to "False"

Any instances become valid, normal objects again

There must be no collisions with active Schema objects (ldapDisplayName, schemaIdGuid,...)

Agenda

Domain Rename

Forest Trusts

(29)

inetOrgPerson

DID YOU KNOW that Windows2000 does not conform to LDAP standards? This means that many off the shelf LDAP applications (Netscape, Oblix, Netegrity, etc) cannot run against Active Directory? It seems that Windows2000 doesn’t derive users from InetOrgPerson, which is the LDAP standard. Therefore, most LDAP applications won’t recognize Active Directory users.

inetOrgPerson

Windows 2000 Active Directory

– The user account object is implement as the 'user' class1

Other LDAP implementations

– The user account object is implement as the inetOrgPerson class (RFC 2798) 2

– Do not recognize AD users

In Windows.NET Active Directory:

(30)

inetOrgPerson

In Windows.NET inheritance chain top(abstract) -> person(abstract) -> organizationalPerson(abstract) -> user(structural) -> inetOrgPerson(structural) RFC 2798 inheritance chain: top(abstract) -> person(structural) -> organizationalPerson(structural) -> inetOrgPerson(structural)

inetOrgPerson

Exchange 2000 schema extension

– secretary: 1.2.840.113556.1.2.444

– labeledURI: 1.2.840.113556.1.2.593 inetOrgPerson RFC 2798

– secretary: 0.9.2342.19200300.100.1.21

– labeledURI: 1.3.6.1.4.1.250.1.57 Solution: Change lDAPDisplayName

– secretary -> msExchangeAssistantName

(31)

inetOrgPerson

inetOrgPerson and user objects are different entities