Tuesday, 23 September 2014

Active Directory Domain Service (ADDS)

What is Directory
Directory is nothing but to organize all sorts of information about a network. The various type of
information stored in Directory is like Network Resources, Network Services, Network users and
groups, etc. A directory is a container, which arranges objects in systematic order according to
our requirement eg. Telephone directory, address directory, company directory, etc.
There are various types of directory available, they are as under:
Application directory : Directory maintained by e-mails software like Lotus notes and
exchanges for maintaining their users, etc
Purpose-specific Directory : A directory maintained by various services like WINS, DNS maintains its
own directory for storing mapping for hostname and IP address.
Network Directory : It is a online directory that stores information about network resources, services and
objects in a network. It stores all information about computers, users, printers and other available
resources in a network. Active Directory of Windows 2000 is an example of network directory
What is Directory Service
In simple a directory service can be define as "The friendly telephone operator who guides or
looks up people's phone numbers for your assistance.". If the directory is the actual data—
the list of people and telephone numbers—the operators and the method for calling them is the
directory service. In windows 2008 Active Directory is a database while the computers which
maintain this database are called as Domain Controllers.
In the field of computing there are various types of directory developed the development of
networking begins, like
Microsoft - Active Directory Service
Xerox - Grapevine
ITU - X.500
IEEE - DNS (Domain Naming Service)
Netware - NDS (Novell Directory Service)
RFC - LDAP (Light Weight Directory Access Protocol)
What is Active Directory Domain Service (AD DS)
AD DS is a new name given in Windows 2008 to ADS. AD DS is a truly network directory that
includes all the features and benefits of traditional directory service. In November 1996,
Microsoft delivered the first preview of Active Directory for developers at the Professional
Developers Conference held in Long Beach, California. Active Directory is designed to be a


single directory for any size of network. The informational (data) model of the LDAP protocol is
a base for Active Directory. Active Directory is based on X.500 — the International Standards
Organization (ISO) special standard defining elements of a distributed directory service. This
standard proposes an object-oriented data model; therefore, it uses such terms as class, objects
and attributes
In Windows 2008 Microsoft has made several enhancements in active directory. We will study
about the same later in this chapter.
Active Directory Identity and Access(AD IDA)
Windows 2008 Microsoft has break-up active directory features into 5 different roles to suites
customer requirement. With this IDA feature Microsoft has provided solution for enterprise
resource management like e-mail, database, application, files, etc. All the below given roles are
collectively called ad (IDentity Access) IDA by Microsoft.
IDA concepts includes Authentication (Identity), Application support, Security(Trust), External
connectivity (Partnership) and Integrity (Data protection).

The 5 active directory roles include
Active Directory Domain Service (AD DS) : Active directory domain service was previously
called as Active directory service(ADS). AD DS provide domain management with
authentication, authorization, policy management, etc. This is same as what we have seen in
Windows 2003 active directory, but with enhancement.
Active Directory Lightweight Directory Service (AD LDS) : AD LDS is a standalone version
of active directory which is formally know as Active Directory Application Mode (ADAM).
With AD LDS directory-capable application can now take advantage of active directory service.
Application can store data in AD LDS and AD LDS helps to replication of the same to other AD
LDS.
Active Directory Certificate Service (AD CS) : With this feature you can setup Certificate
authority to provide certificate for secure communication. AD CS provides certificate which
helps for user authentication, computer authentication, web authentication, VPN, IPsec, EFS,
secure wireless network, digital signatures, etc.
Active Directory Rights Management Service (AD RMS) : AD RMS is an information
protection solution for documents and other resources. Example, you can configure to allow user
to read a document but not to print or copy its contents. AD RMS requires Domain Controller
and a MS-SQL server and client requires RMS client software.
Active Directory Federation Service (AD FS) : AD FS helps an organisation to extends
identity solution across multiple platforms (i.e. Windows and Non-Windows too). with AD FS
user authenticated in one organisation can access resources of other organsation. This feature is
called as Single sign-on (SSO).
Active Directory Domain Services Features
• Centralized database : With Active Directory Domain Service we get centralized
network directory of objects stored in active directory.
• Scalability : You can scale your network into multiple domains and trees according to
your requirement.
• Extensibility : You can extend the feature of active directory domain service by
modifying the schema of active directory.
• Manageability : With active directory you can manage your entire forest and find
resources easily and quickly

• Integration with the Domain Name System (DNS) : DNS is used with active directory
to resolves name and finding resources like GC, DC, etc.
• Enhanced Policy feature : With GPO administrator can manage network in an efficient
manner.
• Enhanced replication feature : Active directory had designed replication in such a way
that in multi-domain network model replication cannot become overhead to active
directory.
• Flexible in Operation : Operation can be made flexible with active directory by way of
using multiple protocols, schema modification, domain and trees structure.
• Security and authentication : Active directory domain service support enhanced
security and authentication protocol like Kerberos, NTLM, SSL, TLS ,etc.
• Directory-enabled applications support : With this new feature application can now
take advantage of active directory to store and replication information.
• Compatible with other Directory service : Active directory domain service is
compatible with other directory service due to support for industry standard protocol like
Kerberos, LDAP, X.500, etc.
Active Directory Domain Service Concepts
Active Directory Domain Service has several components that work together to provide a
complete directory service. They are as under :
Active Directory Domain Service Schema : Schema in nothing but a structure which define
what objects and their attributes can be stored in ADS. When a domain is setup it contains a
default schema know as DIT (Directory Information Tree). There are over 140 predefines classes
and over 840 attributes stored in DIT. SCHMMGMT.MSC is used to view the schema of ADS
Objects and Attributes : In ADS every component is called as Objects and every objects as
some Attributes. Eg. users, computer, printers are called as objects and properties related to it is
called as Attributes
Class : A Class is nothing but a container or a object containing sub objects like Forest, Tree,
Domain, O.U. etc.
Logical Structure of Active Directory
In Active Directory domain service objects are grouped logically like Domains, Tress, Forest,
Org. Unit, etc. Grouping objects logically enables you to find a objects by its name rather than by
its physical location.

Domains : A domain in AD is nothing but logical grouping of objects like users, computers,
printers, O.U. A domain defines a boundary for all objects located under it. All objects under a
domain uses a common namespace.
Trees : They are logical grouping of Domains and Sub-Domains under a single hierarchy. A tree
uses common namespace for all domains under it. EG. The tree of vision.com uses same
namespace for all its child domain.
Forest : They are logical grouping of Trees having multiple namespace.
Organisation Unit : It is a sub-division of domain into multiple logical classes by administration
for easy administration and management of objects in a container.

Physical Structure
The physical components of Active Directory domain service are sites and domain controllers.
Domain Controller : DC is an object or Computer which runs Windows 2008 Server Operating
Systems and which maintains a copy of AD. In a domain we can have multiple DCs according to
our requirement.
Read-only Domain Controller (RODC) : RODC is a new concept in AD DS. A RODC is a DC
which maintains a read only copy of AD. RODC provides security for branch offices where
physical security is not possible.
Sites : A site is a collection of one or more IP subnets connected by a highly reliable and fast
link to localize as much network traffic as possible. With Active Directory domain service, sites
are not part of the namespace. When you browse the logical namespace, you see computers and
users grouped into domains and OUs, not sites. Sites contain only computer objects like Domain
Controller and connection objects used to configure replication between sites. Sites are basically
used for replication of Active Directory Domain Service database between Domain Controllers
in a site.
Global Catalog : GC is called as index file which helps to find objects in a large Active
directory domain service database. The global catalog is the central repository of information
about objects in a tree or forest. The GC stores a full copy of entire Active Directory domain
service while each Domain maintains partial copy of it. DC maintains Global Catalog database.
By default the first DC in the forest is assigned the role of Global Catalog. When a user logs on a
machine the GC searches for object match and send the object query to the specific domain.
The global catalog performs following tasks:
• It helps network logon by providing universal group membership information to a
domain controller when a logon process is initiated.
• It helps finding information about objects within the forest.
• If a global catalog is not available when a user initiates a network logon process, the user
is only able to log on to the local computer (except member of Domain Admin group)
• We can maintain multiple global catalog servers according to requirement of organization
and network traffic.
Dynamic DNS Service
Service that uses Active Directory Domain Service is the Domain Name System (DNS) service.
Active Directory relies on DNS to find or identify objects like DC, GC, etc. The DNS service is
configured to integrate with Active Directory for storing and network or computer information.

Functions of DNS
• Finding objects in active directory like Domain Controller, Global Catalog, etc. using
SRV records in DNS.
• To resolve names (i.e. Fully Qualified Domain Name) to IP address.
LDAP (Lightweight Directory Access Protocol)
LDAP is protocol that defines how AD service is designed and how objects are managed in ADs.
It defines the schema of AD. It defines how objects are organized in AD. It also defines how
objects or resources can be access from AD. All objects naming in AD is based on LDAP
protocol.
LDAP Namaing of objects
CN=Schema,CN=Configuration,DC=forest name,DC=forest root
eg : CN=Ajay Raul, CN=Users, DN=MSI, DC=com
In the above example Ajay Raul is username Full name and MSI.com is domain name
LDAP Ports
The connections via the LDAP protocol between a client and DSA use either a Transmission
Control Protocol (TCP) or User Datagram Protocol (UDP). The table below lists the protocol
sockets used in different access modes:
Function Port
LDAP 389
LDAP Secure Sockets Layer (SSL) 636
Global Catalog (GC) 3268
Global Catalog Secure Sockets Layer 3269
Directory Partitions
Each DC in a forest maintains a directory partition. Directory partition is logical grouping
objects in AD for easy indexing and searching. There are three types of partitions
Schema Partition : It defines the type of data stored in AD. This partition is shared by all DC in
a forest. When a new object is added to a network schema partition is checked to according
attributes are applied to the object. Scheme partition is replicated to all domains in the forest.

Configuration Partition : It is used to store configuration data of network, such as topology,
replication setting and other network wide resources. Configuration partition is replicated to all
domains in the forest.
Domain Partitions : This partition stores specific information about a AD domain. It contains
information about users, computers, etc objects for a specific domain only. Each domain
maintains its own domain partitions.
Active Directory Support Files
The engine used by Active Directory is based on Microsoft's Jet database technology. Jet uses a
b-tree file structure with transaction logs to ensure recoverability in the event of a system or
drive failure.
When you promote a server to a domain controller, you select where to put the Active Directory
files. The default path is in the boot partition under \Windows\NTDS. Generally, it is a good
idea to put them on a separate volume from the operating system files to improve performance.
The following list contains the Active Directory support files and their functions:
Ntds.dit : This is the main AD database. NTDS stands for NT Directory Services. The DIT
stands for Directory Information Tree. The Ntds.dit file on a particular domain controller
contains all naming contexts hosted by that domain controller, including the Configuration and
Schema naming contexts. A Global Catalog server stores the partial naming context replicas in
the Ntds.dit right along with the full Domain naming context for its domain.
Edb.log : This is a transaction log. Any changes made to objects in Active Directory are first
saved to a transaction log. During lulls in CPU activity, the database engine commits the
transactions into the main Ntds.dit database. This ensures that the database can be recovered in
the event of a system crash. Entries that have not been committed to Ntds.dit are kept in memory
to improve performance. Transaction log files used by the ESE engine are always 1MB.
Edbxxxxx.log : These are auxiliary transaction logs used to store changes if the main Edb.log
file gets full before it can be flushed to Ntds.dit. The xxxxx stands for a sequential number in
hex. When the Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file is
renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the process starts
over again. ESENT uses circular logging. Excess log files are deleted after they have been
committed. You may see more than one Edbxxxxx.log file if a busy domain controller has many
updates pending.
Edb.chk : This is a checkpoint file. It is used by the transaction logging system to mark the point
at which updates are transferred from the log files to Ntds.dit. As transactions are committed, the
checkpoint moves forward in the Edb.chk file. If the system terminates abnormally, the pointer
tells the system how far along a given set of commits had progressed before the termination.

Temp.edb : This is a scratch pad used to store information about in-progress transactions and to
hold pages pulled out of Ntds.dit during compaction.
Schema.ini : This file is used to initialize the Ntds.dit during the initial promotion of a domain
controller. It is not used after that has been accomplished.
How big is Active Directory service
Active Directory : 100,000 users, 100,000 computers, 10,000 groups, 10,000 printers, and
10,000 volumes. The size of the resulting Ntds.dit is about 1,400 MB, or 1.4 gigabytes! This is
with minimal attributes set on the objects. If all the attributes are set and new schema is update
then the size can grow too long.
Functional Level
Windows 2008 active directory domain service includes a feature to provide support or
compatibility to all Windows Server based operating system using Domain and forest
functionality. Different levels of domain functionality and forest functionality are available
depending on your environment. In each functionality levels we get various features enabled or
disabled.
Domain functional level Domain controllers supported
Windows 2000 native
Windows 2000
Windows Server 2003 family
Windows Server 2008 family
Windows 2003
Windows 2003 server family
Windows Server 2008 family
Windows Server 2008 Windows Server 2008 family
Forest functional level Domain controllers supported
Windows 2000
Windows 2000
Windows Server 2003 family
Windows Server 2008 family
Windows Server 2003
Windows Server 2003 family
Windows Server 2008 family
Windows Server 2008 Windows Server 2008 family
New features of Active Directory Service in Windows 2008
• Read only Domain Controller (RODC)
• Restart able AD Service
• Active directory command-line tools
• Fine-grained password and audit policy
• Active Directory mining tool
• AD certificate service
• Active directory Federation Service
• Active directory Lightweight directory service.
Authentication in Windows 2008
Windows 2008 support 2 types of authentication protocol. They are Kerberos V5 and NTLM
(NT Lan Manager)
NTLM : This protocol is used for backward compatibility with operating systems like Windows
95, 98 and NT. This protocol is used is in mixed mode and is disable in native mode.
Kerberos V5 : This protocol is an Industry standard authentication protocol that provides higher
level of security and is one of the best secure and fast authentication protocol developed by MIT.
Kerberos V5 is the default protocol used in Windows 2000/2003/2008/XP/Vista for
authentication of users, computers and even trust relationship.
How Kerberos V5 works
When a user logs on to domain the user password is converted into an encrypted key. The local
computer uses this key to encrypt timestamp information and sends the same to Domain
controller. To find the domain controller client uses DNS SRV record.
The Domain Controller unencrypted the information and checks the timestamp information and
creates two Kerberos tickets. The tickets are unencrypted using the user stored password key and
sends the ticket back to the user. The two tickets are logon session key ticket which is used to
establish logon session and the other ticket is TGT (Ticket granting ticket) or user ticket which
helps user to access network resources.
Windows 2008 Server Version Comparisons

Microsoft has included a whole variety of flavors of Windows Server 2008 to meet organisation
requirements. Windows 2008 server is available in 8 different edition to suits customer and
organisation requirement. Windows Server 2008 is now available in five primary editions, and
three of these editions will also be available without Windows Server Hyper-V, bringing the total
number of editions to eight. Let us know review all the eight edition of Windows 2008 server.
Windows Server 2008 Standard is the basic sever operating system of Windows 2008 server
family. It includes all the standard features and virtualization. This edition does not includes
clustering feature.
Windows Server 2008 Enterprise is designed for enterprise level of environment for deploying
business-critical applications like mailing system, web servers, application servers, etc. It
includes features like clustering and hot-add processor capabilities.
Windows Server 2008 Datacenter is designed for enterprise or multinational level organization
for deploying business-critical applications and large-scale virtualization on small and large
servers. It includes features like clustering and dynamic hardware partitioning capabilities. It
supports 2 to 64 processors.
Windows Web Server 2008 is designed to be used specifically as a single-purpose Web server,
Windows Web Server 2008 delivers on a rock-solid foundation of Web infrastructure capabilities
in the next-generation Windows Server 2008. Integrated with the newly re-architected IIS 7.0,
ASP.NET, and the Microsoft .NET Framework, Windows Web Server 2008 enables any
organization to rapidly deploy Web pages, Web sites, Web applications, and Web services.

Windows Server 2008 for Itanium-Based Systems is designed to support 64-bit hardware and
large databases, line of business, and custom applications providing high availability and
scalability for up to 64 processors to meet the needs of demanding and mission-critical solutions.
Windows HPC Server 2008, the next generation of high-performance computing (HPC),
provides enterprise-class tools for a highly productive HPC environment. Built on Windows
Server 2008, 64-bit technology, Windows HPC Server 2008 can efficiently scale to thousands of
processing cores and includes management consoles that help you to proactively monitor and
maintain system health and stability. Job scheduling interoperability and flexibility enables
integration between Windows and Linux based HPC platforms, and supports batch and service
oriented application (SOA) workloads. Enhanced productivity, scalable performance, and ease of
use are some of the features that make Windows HPC Server 2008 best-of-breed for Windows
environments.
Upgrade Paths for windows 2008
Operating System Upgrade Options

Windows Server 2003 R2 Standard Edition •
Windows Server 2003 Standard Service Pack 1 (SP1) Edition with •
SWeinrvdicoew sP aScekr v2e r( S2P020)3 Standard Edition with

Ful instalation of Windows Server 2008 Standard •
Fwuitlhl oinust tHalylapteiorn-V o™f W teinchdnowolso gSye rver 2008 Standard •
FEunltle irnpsrtiasela tion of Windows Server 2008 •
FEunltle irnpsrtiasela wtioithn oouft WHiynpdeorw-Vs Server 2008

Windows Server 2003 R2 Enterprise Edition •
wWiitnhd Soewrsv icSee rPvaecr k2 010 (3S PE1n)te rprise Edition •
wWiitnhd Soewrsv icSee rPvaecr k2 020 (3S PE2n)te rprise Edition

FEunltle irnpsrtiasela tion of Windows Server 2008 •
FEunltle irnpsrtiasela wtioithn oouft WHiynpdeorw-Vs Server 2008 •
Ful instalation of Windows Server 2008

Operating System Upgrade Options
Datacenter •
Ful instalation of Windows Datacenter without Hyper-V Server 2008

Windows Server 2003 R2 Datacenter Edition •
wWiitnhd Soewrsv icSee rPvaecr k2 010 (3S PD1a)t a center Edition •
wWiitnhd Soewrsv icSee rPvaecr k2 020 (3S PD2a)t a center Edition

FDualtla icnesntatelar tion of Windows Server 2008

Windows Server 2008 Standard

Windows Server 2008 Enterprise

HWyinpdeor-wVs Server 2008 Standard without

Windows Server 2008 Enterprise without Hyper-V

Windows Server 2008 Enterprise

Windows Server 2008 Datacenter

HWyinpdeor-wVs Server 2008 Enterprise without

Windows Server 2008 Enterprise without Hyper-V
New Features in Windows Server 2008
This chapter covers new features in Windows Server 2008:
• RODC
• AD Restartable Service

• Quota Management
• File Service Resource Management
• Virtualization
• Fine-grained policy
• DNS and DHCP with IPv6 support
• AD RMS and AD FS
• Reliability Monitor
• Terminal Service Enhancement
• Windows Search Service
• Windows System Resource Manager
• New Windows Server Backup
• Network Access Protection
• Windows Deployment Service
• Many more

No comments:

Post a Comment