ACTIVE DIRECTORY OVERVIEW
Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | CISA | [email protected] | www.sevecek.com |
NETWORK SERVICES
Central Database
LDAP – Lightweight Directory Access Protocol
database query language, similar to SQL TCP/UDP 389, SSL TCP 636
Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269
D/COM Dynamic TCP – Replication, NSPI, SPN Registration, RODC pass-through domain membership
Kerberos
UDP/TCP 88, KPASSWD TCP/UDP 464
Windows NT 4.0 SAM
SMB/CIFS TCP 445 (or NetBIOS) password resets, SAM queries SMB/DCOM Dynamic TCP
Netlogon NTLM pass-through Kerberos PAC validation
Client Port Requirements vs.
DCs
DNS – UDP 53 (TCP 53 over 512 B of request/response)
Ping – XP/2003 and older
LDAP – UDP 389, TCP 389, TCP 636, TCP 3268, TCP 3269
Kerberos – UDP/TCP 88, UDP/TCP 464
SMB – TCP 445
NTP – UDP 123
Outlook – Netlogon DCOM (GC)
Server – Netlogon DCOM (pass-through authentication)
Server – Replication DCOM (dNSHostName, SPN registration)
Incoming trust establishment
DNS
UDP queries in case of forwarders
TCP zone transfer in case of stub zones
LDAP UDP
site location/netlogon anonymous query for domain SID and NetBIOS name
SMB
anonymous secure channel LSASS query
Design Considerations
Distributed system
DCs disconnected for very long times
several months
Multimaster replication
with some FSMO roles
Maintain compatibility
with forest and domain functionality levels
Design Considerations
Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office.
Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange
settings. Cannot afford lost of any one.
Network Interactions
(DC Location)
Any DC 2000+ Client
2000+
LDAP UDP
SRV: Any DC List
Get My Site
DNS DNS
SRV: My Side DC
My Site DC 2000+
Network Interactions
(2008/Vista+ DC Location)
Any DC 2008+ Client Vista+ LDAP UDP
SRV: Any DC List
Get My Site
DNS DNS
SRV: My Site DC
Next Closest Site
Close Site DC 2000+
My Site DC 2000+
SRV: Close Site
Network Interactions
(Join Domain)
DC 2000+ Client 2000+ Kerberos SMB TGT: User SAM Interface TGT: CIFSNetwork Interactions
(Local Logon)
DC 2000+ Client 2000+ Kerberos LDAP SMB TGT: User GPO List GPO Download TGS: LDAP, CIFSNetwork Interactions
(Kerberos Network Logon)
DC 2000+ Client 2000+ Kerberos Server 2000+ App Traffic DC 2000+ SMB D/COM TGT: User In-band TGS: Server Occasional PAC Validation TGS: Server D/COM Dynamic TCP
Network Interactions
(NTLM Network Logon)
DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ SMB D/COM In-band NTLM Pass-through NTLM D/COM Dynamic TCP
Network Interactions
(Basic/RDP Logon)
DC 2000+ Client 2000+ Server 2000+ App Traffic DC 2000+ In-band clear textDatabase
Microsoft JET engine
JET Blue
common with Microsoft Exchange
used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker, Windows Search
%WINDIR%\NTDS\NTDS.DIT
ESENTUTL
Opened by LSASS.EXE
Scenarios
Service Support Notes
multi NIC
not recommended more adapters register into DNS
SMB client/server/network-provider issues DNS recommended
DHCP yes IAS/NPS yes
RRAS not recommended creates virtual network adapters which register into DNS
SMB client/server/network-provider issues CA not recommended cannot rename DC
cannot remove AD
moving CA requires keeping the same computer name IIS not recommended creates user accounts
DCPROMO changes some NTFS permissions
IIS 7.0 uses IUSR and IIS_IUSRS which are not available in 2003- domain
Scenarios
Service Support Notes
TS/RDS no DCPROMO changes some NTFS persmissions regular users can access the server locally TS/RDS
Licensing
recommended if domain/forest discovery required WDS yes
WINS not recommended disable NetBIOS at all RMS not recommended requires IIS
ADFS not recommended requires IIS
SQL no creates user accounts
DCPROMO changes some NTFS permissions Exchange 2000 must
2003 no 2007+ not recommended
different hardware/memory requirements requires IIS
must be GC, no failover to other DCs cannot be clustered
no role separation
Scenarios
Service Support Notes
Cluster not supported NLB not supported Forefront Client Security no SharePoint not recommended requires IIS no role separation performance issues
single-domain forest
recommended forest is a security boundary
delegation can be achieved by OU security
can be more space consuming but GC contain most attributes usually
e.g.: Outlook/GC/group modification KB306349 single-label
FQDN
Installation
DCPROMO /adv
DCPROMO /unattend:unattend.txt
also installs binaries on 2008 and newer
even when only binaries are installed, Windows Firewall receives also exceptions for AD!
DCPROMO /uninstallbinaries
IFM installation
must be from the same OS version
%systemroot%\debug\dcpromo.log
Lab: Installation
Install IDTT, idtt.localon SRV1
Check services before and after install
Active Directory Domain Services
Security Accounts Manager
Kerberos Key Distribution Center
Netlogon
Check IPv4and IPv6 DNS settings
Lab: Sample data population
Run the populate-ad.batscript
Investigate what changes did it do
DSA.MSC, DSSITE.MSC
do not correct anything even if you find any problems
Installed services
LSASS
Security Accounts Manager
TCP 445 SMB + Named Pipes
Kerberos Key Distribution Center UDP, TCP 88 Kerberos
Active Directory Domain Services UDP, TCP 389 LDAP
NTDS.DIT
Installed services
LSASS
SAM
KDC
NTDS
TCP 445 SMB + Named Pipes
UDP, TCP 88 Kerberos
UDP, TCP 389, ... LDAP
NT4.0
NTLM Pass-through PAC validation
Windows 2000+
LDAP/ADSI Client NTDS Replication FIM/DRS API Client Connect to domain D/COM Dynamic TCP
Restartable AD DS
Windows Server 2008
Active Directory Domain Services service
LSASS.EXE
Can log on DS Restore Mode Admin
HKLM\System\CurrentControlSet\Control\LSA
Netlogon
Active Directory Client
“secure channel” with a selected DC
Site aware DC Locator
Connects computer to domain
Changes computer password
SID/Name translation
On DSs de/registers DC Locator DNS SRV
records
Uninstallation
DCPROMO
requires working replication connectivity with other DCs
DCPROMO /forceremoval does not access network at all
NTDSUTIL Metadata Cleanup
Connection
Connect to server srv2.idtt.local
Quit
Select operation target
List sites
Select site 0
List domains in site
Select domain 0
List servers in site
Select server 0
Quit
Remove selected server
Disabling IPv6
Never uncheck the protocol in NIC properties
Exchange not working
Clients not joning domain
HKLM\System\CurrentControlSet\Services\T
CPIPv6\Parameters
DisabledComponents= DWORD = 0x000000FF
Multinetworking
Windows 2008 DC/DNS 2008 does not
register DHCP assigned IP addresses anymore!
Lab: Unattended Installation
Move SRVs to appropriate sites
disable the original NIC firs
Set correct DNS client settings
Install DCs on the remaining servers automatically
install DNS only on SRV2
dcpromo /unattend:unattend-dc-replica.txt
dcpromo /unattend:unattend-dc-child.txt
Wait until DNS _msdcszone is populated correctly with all the DC GUIDs
restart NETLOGONsif you do not want to wait
Renaming DC
NETDOM COMPUTERNAME /Add
let replicate through the whole forest
NETDOM COMPUTERNAME /MakePrimary
NETDOM COMPUTERNAME /Remove
Renaming domains
RENDOM
can rename forest root domain as well
Lab: Troubleshoot DNS
On SRV1 open the DNS console
Delete contents of the _msdcszone
On each DC restart Netlogonservice
NET STOP netlogon & NET START netlogon
Restart-Service Netlogon
or NLTEST /DSREGDNS
Confirm the zone got populated correctly
Lab: Troubleshoot
replication
On SRV1 open DSSITE.MSC
Move SRV1into London site
Clear DNS resolver cache
NET STOP dnscache & NET START dnscache
Replicate configuration to all the other DCs
Force all the other DCs to Check replication topology
Replicate configuration from all the DCs back to
SRV1
Force replication of all the links
Check the replication for errors
Initial Synchronization
HKLM\System\CCS\Services\NTDS\Parameters Repl Perform Initial Synchronizations
During startup, DC tries to replicate with at least one partner
Fast startup on isolated network
Loses protection against
USN rollback (restore snapshot/image) Restore/Seizure of FSMO roles
DNS Best Practice
DC1
DNS
DC2
DNS AD AD
Lab: DNS Best Practice
Disable IPv6 in registry
disable-ipv6.reg
Reconfigure SRV1 and SRV2to query DNS
mutually as the DNS best practice says
Reconfigure all the other DCs to use SRV1
and SRV2for their client DNS queries
PLANNING
Maximum number of objects
2 147 483 393
Distinguished Name Tag
internal database identifier per DC
only incremented even when objects are deleted
Means all partitions on all DCs together
Installing new DC starts with DNT=0
can be used to overcome the limit after huge object deletes
cannot install from IFM – reuses DNTs
Maximum number of SIDs
1 073 741 823 (30-bit)
RID Pool limit
Windows 2012
Windows 2008 R2+KB2642658
31-bit
Operational attribute
sIDCompatibilityVersion= 1
Maximum number of SIDs
Atomic transaction
Group Limits
Access Token
1025 groups
including local/virtual groups
Group members
up to 5000on Windows 2000 FFL(recommended limit only due to the atomic transaction size)
no limit (500 million) with FFL 2003+ (linked multivalue replication)
Domain and DC limits
Maximum number of domains
800 with 2000 forest functional level
1200 with 2003+ forest functional level (non-linked multivalue)
Recommendedmaximum number of DCs
1200DCs with 2003- domain level (FRS replication)
Some other limits
Maximum GPOs applied
Each client will process up to 999 GPOs
Maximum number of trust links
Kerberos cannot traverse more than 10 trusts
Attribute limits
limits can be set in schema
rangeLower
rangeUpper Unicode String
maximum 10 485 552 characters Octet String (binary data)
maximum 10 485 560 bytes
In case of multivalue, every value up to this limit
Maximum 800/1200 (non-linked) values per object
Space consumption
Single attribute overhead ~ 80 B
1024 B binary ~ 1024 + 80 B in DB
1024 characters ~ 2048 B + 80 in DB
Empty user/computer account
3.7 kB
Pure OU or a single DNS record
1.2 kB
The big data
thumbnailPhoto
maximum 30 kB
userCertificate
1500 B
msPKIAccountCredentials
Common frequent modifying operations
Admin induced
Create users/groups/computers/DNS
Change group membership
User induced
Change password on users/computers
users = 42??, computers = 30
DNS dynamic update
default = 14??
lastLogonTimestamp
default = 14??
Common modifications example
200 people
200 users = 100x / month pwd+pwdLastSet
200 users = 400x / month lastLogonTimeStamp
200 pc = 200x / month pwd+pwdLastSet
200 pc = 400x / month dns update
= 1100x /month ~= 1.5 / hour
5000 people
ACTIVE DIRECTORY LDS (ADAM)
Active Directory Troubleshooting
Application LDAP
Arbitrary port number, can run TLS
Multiple instances and partitions on a single box
replication
managed by Active Directory Sites and Services snap-in (requires MS-ADLDS-DisplaySpecifiers.ldf)
Separate schema
custom attributes etc.
can use different naming attributes (O=, C=) Has forest functional level (no DFL)
Authentication
LDAP Simple Bind
NLTM/Kerberos for AD principals
Proxy authentication into AD
%systemroot%\ADAM
userProxy.ldf
userProxyFull.ldf
Mapping DNS to X.500
Works for AD DS as well as AD LDS
Client feature of ADSI
accounting.ad.sevecek.com
DC=accounting,DC=ad,DC=sevecek,DC=com
AD DS registers partition names in DNS
automatically
For AD LDS you must register DNS namein
AD DS vs. AD LS Sync and
Management
adschemaanalyzer
exports AD DS schema into AD LDS
ADAMSync = DirSync
synchronizes objects
MS-AdamSyncConf.xml
PowerShell/VBS/ADSI
