Active Directory Internals Windows 2000 and Windows .

NET
John Craddock
Principal Consultant
v-jcradd@microsoft.com jcrad@kimberry.co.uk

Sally Storey
Consultant
sallysto@kimberry.co.uk Kimberry _______
Associates

Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

Lots of Demos!
netads01

example.com
London site

netads02

netads03 NewYork site netads04

child.example.com

Kimberry _______
Associates

Demonstration Environment
Windows XP Host netads01 netads02 netads03 netads04

Virtual network 10.20.0.0 4 virtual machines running Windows .NET Enterprise Server

Host running VMware Workstation 3.1

VMs configured for repeatable resume
Kimberry _______
Associates

Windows 2000 and .NET

The majority of topics apply equally well to Windows 2000 and .NET
All the demonstrations will be performed on .NET

Features that apply specifically to .NET are identified

Kimberry _______
Associates

Health Warning!!
In this seminar we will show the use of tools that will allow direct access to AD objects and attributes Always test any changes before implementing them in a production environment
You could always make mistakes!

Kimberry _______
Associates

Seminar Slides
Not all slides in this published slide deck will be presented Excess slides have been included as background material

Kimberry _______
Associates

Things to Watch out For

More level-400 seminars under development Book on digging deep into AD nearly complete!
In our skills rating this book is extreme
For proper computer geeks and nerds, no impostors

If you are interested in receiving further information, on future seminars and/or books please email
sales@kimberry.co.uk

For consultancy engagements, please contact

sallysto@kimberry.co.uk
Kimberry _______
Associates

Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security/Securing Directory Objects Advanced Administration/Advanced Delegation Creating the Active Directory Replication
Kimberry _______
Associates

10

Lets Make it Simple

The directory is a container for objects It provides a mechanism for a logical representation of disparate entities to be stored in a common directory
The entities can be physical devices or services

Sub-containers can group objects to simplify management of objects with commonality

Kimberry _______
Associates

11

Grouping Objects
Management tasks include:
Controlling object visibility Controlling access to objects Maintaining attribute values Identifying users and computers that will share a common group policy

Designed correctly, the AD will provide an ideal abstraction of resources for both users and management
Kimberry _______
Associates

12

An Ideal Model
Delegated Administration Group Policy Resource Access

Simple user access to data and resources

Hierarchy for management

Kimberry _______
Associates

13

Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication

Importing and Exporting Directory Objects Extending the User Interface Replicating the Directory Adding Naming Contexts The Global Catalog The Schema

Kimberry _______
Associates

14

Representing Entities
Attributes
Attribute values may be individually set or synchronized with the entitys properties

Object

Entity

An object may simply publish the existence of the entity or control its behaviour
Object attributes represent the entitys properties
Kimberry _______
Associates

15

Object Access
ACE

ACEs can apply to specific attributes

ACL

Directory Object

Sales SalesManagers Managers read readaccess access

Access to directory objects is controlled via ACLs

Fine granularity is provided by ACEs that apply to specific attributes

Access control is key to controlling visibility and delegating administration

ACL = Access Control List, ACE = Access Control Entry

Kimberry _______
Associates

Naming Objects
mining.xyzgroup.com
UK

xyzgroup.com

16

USA ED

cn=john,ou=legal,ou=ed,ou=uk dc=mining,dc=xyzgroup,dc=com

LN

sales

legal legal

Every object is identified by a unique Distinguished Name

John

Each component of the DN is referred to as the Relative Distinguished Name (RDN) In addition to a DN (which may change), the object is uniquely identified by a GUID
cn = common name, ou = organizational unit, dc = domain component

Kimberry _______
Associates

17

Naming Contexts
mining.xyzgroup.com
Domain NC: dc=mining,dc=xyzgroup,dc=com

xyzgroup.com

Configuration NC: cn=configuration,dc=mining,dc=xyzgroup,dc=com Schema NC: cn=schema,cn=configuration,dc=mining,dc=xyzgroup,dc=com

A Naming Context identifies a partition of the DIT

Each NC is individually replicated
DIT = Directory Information Tree

Kimberry _______
Associates

18

The Global Catalog

The GC is hosted on a DC in domainX The GC responds to LDAP queries on port 3268 DomainX objects

Domain NC objects replicated from the other domains in the forest The GC stores only a partial set of attributes for each object

If an attributes definition in the schema has its isMemberOfPartialAttributeSet property set TRUE, it is replicated to the GC Kimberry _______
Associates

19

Programmatic Access
LDAP provides programmatic access to the directory
Search, compare, add, modify, delete, rename (ModifyDN), and more

Windows 2000 implements LDAPv3

It will answer v2 queries

ADSI provides COM access to the directory

Uses LDAP as the on-the-wire protocol
Kimberry _______
Associates

LDAP = Lightweight Directory Access Protocol

20

RootDSE
All DCs maintain a node called RootDSE RootDSE provides information on:
Supported naming contexts The Root NC LDAP versions Supported controls
Extends the capabilities of LDAP

Policies and security

Kimberry _______
Associates

RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent

21

Tools for Digging Deep

ADSI Edit and LDP are installed as part of the support tools
Viewing RootDSE Viewing domain NC objects and attributes Changing attribute values Checking security LDAP queries

New .NET command line tools

DsQuery, DsAdd, DsGet, and more

Kimberry _______
Associates

22

Searching the Directory

The Find utility in the Active Directory Users and Computers console provides a means of searching the directory

More complex search criteria can be established by using the custom search
OR

(&(|(l=london)(l=birmingham))(co=united kingdom))
Logical AND Logical OR Locality-Name identifies the City

AND

Kimberry _______
Associates

23

Ambiguous Name Resolution

ANR is a search algorithm that searches for a match between the input string and any of the attributes defined in the ANR set
The default ANR set includes:
GivenName, Surname, DisplayName, RDN, sAMAccountName and more

If the input string consists of two words, an additional check is made as follows:
(First word = GivenName AND Second word = Surname) OR (First word = Surname AND Second word = GivenName)

Kimberry _______
Associates

24

ANR Searches
The Find utility always makes an ANR search when searching for users
It can also be specified in an advanced custom search
(&(ANR=john)(co=united kingdom))

An attribute is a member of the ANR set if its definition in the schema has the ANR bit set in its searchFlags property
The attribute must also be indexed
Kimberry _______
Associates

25

dsHeuristics
The dsHeuristics attribute effects the behaviour of the ANR search
It is an attribute of Directory Services
cn=Directory Services,cn=Windows NT, cn=Services,cn=Configuration

Kimberry _______
Associates

26

Attribute Search-Flags
Copy attribute when object is copied (user account copy)

16

bit 4 bit 3 bit 2 bit 1 bit 0

Preserve this attribute on logical deletion (tombstoned) Member of ANR set Index over attribute Index over container and attribute

enabled = 1, disabled = 0
Values can be changed programmatically
Limited access via Schema Manager
Kimberry _______
Associates

27

LDP to the Rescue

Advanced LDAP queries can be created using LDP
Locate all attributes replicated to the GC
isMemberOfPartialAttributeSet=TRUE

Locate all indexed objects and ANR set members

Test the attribute with a matching rule

Locate logically deleted objects

Requires an extended LDAP control

Kimberry _______
Associates

BIT Wise Operations

28

Matching rules are used to test bits within an attribute

Attributename:ruleOID:=value
No spaces, Value in decimal

(searchFlags:1.2.840.113556.1.4.803:=5)
Rule OID provides an AND test, evaluates true if bits 0 AND 2 are set

(searchFlags:1.2.840.113556.1.4.804:=5)
Rule OID provides an OR test, evaluates true if bits 0 OR 2 are set Kimberry _______
Associates

29

LDAP v3 Controls
Controls extend the functionality of LDAP
Server controls are sent to the server Client controls affect the functionality of the LDAP API

The controls are identified by OIDs

Example Control Types:

1.2.840.113556.1.4.417 Do Not Generate Referrals: 1.2.840.113556.1.4.1339

Show Deleted Objects: See the SDK header file ntldap.h for all the defined controls Kimberry _______
Associates

30

Using Controls with LDP

Kimberry _______
Associates

31

Operational Attributes
Operational attributes provide a mechanism for triggering actions on the server via LDAP
They are not defined in the schema Writing to the attributes causes the server to perform a predefined action

Actions include (ntldap.h for details):

Updating the Schema Transferring FSMO roles Triggering the SD Propagator Thread
Kimberry _______
Associates

32

Operational Attributes

Updating the GC cache on .NET

Kimberry _______
Associates

Importing and Exporting Directory Objects

34

LDIF
LDAP Data Interchange Format (LDIF)
Defined in RFC 2849

LDIF files can contain

Data Data and actions to be performed

Actions include
Add, modify, delete

Kimberry _______
Associates

35

LDIF examples
Data is exported and imported using the ldifde utility
dn: cn=belle blackpool,ou=england,dc=example,dc=com changetype: modify add: otherHomePhone otherHomePhone: 362 456 789 dn: cn=angus aberdeen,ou=england,dc=example,dc=com changetype: delete

Kimberry _______
Associates

36

CSV
Data can be exported from the directory in Comma Separated Value (CSV) using the csvde utility
csvde takes the same command line switches as ldifde

csvde can be used to export and add directory objects

Cannot be used to modify or delete Do not use for schema changes
Kimberry _______
Associates

Extending the User Interface

38

Display Specifiers
Specifier for current locale selected

User shell

Display specifiers Object classes Display specifiers

Display specifiers are defined for each locale

Administration tools

Stored in locale-specific container in the configuration NC

Stores UI display information for each object

Property sheets, context menus, icons, creation wizards, attribute names
Kimberry _______
Associates

39

Extending the UI

The UI can be extended by adding property pages, wizards or context menu items to the appropriate Display Specifier
This must be done for each of the supported locales Kimberry _______
Kimberry _______
Associates

Replicating the Directory

41

Replicating the Directory

GC
Partial replica of all domain objects Hosted on one or more DCs

Configuration and Schema NCs common to all domains

Domain NC only replicated with the domain
Kimberry _______
Associates

Adding Naming Contexts

43

Application Directory Partitions

Provides the ability to create new naming contexts within the directory
The DCs that host replicas of the NC can be defined Cross-domain replication is supported

With the exception of security principals any type of object/attribute can be supported
Kimberry _______
Associates

44

Application Directory Partitions Create

Application Directory Partition

example.com

Replicated Add Replica

Application Directory Partition

child.example.com

Kimberry _______
Associates

45

Application Directory Partitions and DNS

Kimberry _______
Associates

46

Creating Application Directory Partitions

Application Directory Partitions can be created programmatically or using the ntdsutil command line utility Create the new NC on one DC and then add a replica to other DCs
create nc dc=emea,dc=example,dc=com netads01.example.com add nc replica dc=emea,dc=example,dc=com netads03.child.example.com

Kimberry _______
Associates

The Global Catalog

48

Deployment Issues
Adding attributes to the GC partial attribute set causes all GCs to fully synchronize
Equivalent to repromoting all GCs No interruption in service Bandwidth, CPU intensive

Applications may add attributes to the GC partial attribute set

Exchange 2000

Kimberry _______
Associates

49

Solution - No-GC Full Sync

Replicate only added attributes
Modification to replication protocol Works between Windows .NET DCs only Requires .NET forest functionality level
Details later

Kimberry _______
Associates

50

Logon and the GC Dependency

A users universal group membership changes by: adding the user to a universal group adding a global group of which the user is a member nesting appropriate global and universal groups

Membership details in logon domain

Security Access Token

User SID Group SIDs

Builtin Domain Local Global Universal

Membership details in GC

GC

During the logon process the security access token is constructed

Kimberry _______
Associates

51

Deployment Issues
Logon fails if the GC is not available
Administrators can still logon

Logon with a failed GC presents a possible security breach

Incomplete security token Ignores access deny for universal groups

Kimberry _______
Associates

52

Deployment Issues
A GC at every site to avoid log on failures when the network is down Increased hardware costs Replication overhead

Kimberry _______
Associates

53

Universal Group Membership Caching

DC On first logon the users group details are cached GC Periodically updated default 8 hours NewYork London

The cached group information stored in the users msDS-Cached-Membership attribute

Kimberry _______
Associates

54

Membership Changes
Changes to universal and global group membership will not be seen until after the cache has been refreshed
The user must also log off and on to rebuild the security token

No UI to refresh the cache

Refreshed via an operational attribute
Programmatically via ADSI and WMI Manually using LDP

Kimberry _______
Associates

The Schema

56

The Schema
Object Objectdefinitions: definitions: Must Mustcontain containattributes attributes May contain attributes May contain attributes Possible Possibleparents parents More More Attribute Attributedefinitions: definitions: Unique identifier Unique identifier Syntax Syntax Range Range Indexed Indexed Replicated Replicatedto toGC GC Linked Linked Property Propertyset set More More

The Schema provides a formal definition of all the types of objects and attributes that can exist in a forest
Kimberry _______
Associates

57

Objects and attributes

Object class definition classSchema class

Attribute definition attributeSchema class

An instance of the classSchema class defines a new object class An instance of the attributeSchema class defines an attribute

The instances properties (attributes) define the characteristics of the attribute and apply whenever the attribute is added to an object

Kimberry _______
Associates

58

Class Definitions
Class definitions include:
Class identifiers
cn, ldapDisplayName, SchemaIDGUID, OID

mustContain, systemMustContain, mayContain, and systemMayContain attributes

Used when an object of this class is instantiated

Possible parents SuperClasses and auxiliary classes

Every object class (except for top) is derived from another class
Kimberry _______
Associates

59

Class Inheritance
abstract top abstract subClassOf Person subClassOf

An object class can be derived from other classes

Which may have also been derived from other classes
z

Classes may be:

abstract

organizationalPerson subClassOf

Structural Abstract Auxiliary

securityPrincipal auxiliary mailRecipient auxiliary

Structural user

SystemAuxiliaryClass

Only structural classes can be instantiated in the directory

Kimberry _______
Associates

60

Aggregated Attributes
top person organizationalPerson user securityPrincipal mailRecipient

Aggregated: possible parents

Aggregated: mustContain systemMustContain mayContain systemMayContain

Resultant attributes are aggregated from all the associated classes Kimberry _______
Associates

61

The Abstract Schema

The Abstract Schema stores a subset of all the information in a single object
Provides a fast method of retrieving frequently used information The Abstract Schema object is called Aggregate
attributeTypes summary of attributes properties objectClasses summary of class definitions

The Abstract Schema is loaded into memory and is read-only

Kimberry _______
Associates

62

Windows .NET Changes

The Schema has been extended to support additional objects and attributes
inetOrgPerson as defined in RFC 2798 is now implemented

Auxiliary classes can be associated with an instantiated object Support for dynamic objects
Dynamic objects have a TTL after which they are removed from the directory
Kimberry _______
Associates

63

Attribute Properties
The properties of an attribute define settings which include:
Attribute identifiers
OID, ldapDisplayName, SchemaIDGUID

The syntax of the data stored in an instance of the attribute Singlevalued or multivalued data storage The allowable data range Attribute management
Linked, indexed, member of ANR set, replicated to the GC and more
Kimberry _______
Associates

64

Viewing Attribute Properties

ADSIEdit or LDP allows full access to all properties of an attribute Limited access to an attributes properties is available through the Schema Manager Snap-In
The Schema Manager Snap-In requires registering
Automatically done when the Admin pack (Adminpak.msi) is installed Run: regsvr32 schmmgmt.dll
Kimberry _______
Associates

65

Windows 2000 Schema Manager

showInAdvancedViewOnly isDefunct searchFlags isMemberOfPartialAttributeSet

Kimberry _______
Associates

66

Linked Attributes
Forward-link Manager Tom Sally Debbie Peter Simon Paul Amy Simon Linked attributes Simon Back-link Direct Reports Tom Peter The Direct reports (reports) attribute is multivalued and contains the DNs of the objects that contain forward links that reference this object Linked attributes are identified by their linkID properties being set to n and n+1 The forward-link is identified by an even value of n, n+1 identifies the back-link

Linked attributes are pairs of attributes where the value of the back-link is derived from the forward-link details Kimberry _______
Associates

67

Referencing Other Objects

View presented by DSA

DN of referenced object B

Database Object A Object B DN etc DN etc Database location reference to object B Database records

If attributes reference other objects, rather than storing the DN of the reference object, the database location of the object is stored
This avoids the need to change multiple attributes if the DN of the object changes
Kimberry _______
Associates

68

Phantom Records
View presented by DSA

DN of referenced object Z

Database Object A DN etc Reference to phantom record Database records

Phantom NoDN, record for object GUID and SIDZ of referenced object object Z Create phantom:

A phantom record is created if an attribute references an object in another domain; this maintains the database reference paradigm

The phantom is created locally on each DC that receives a replica of object A Phantoms are not required on the GC, as a database record for the referenced object already exists Kimberry _______
Associates

69

Maintaining Phantoms
The Infrastructure Master runs on one DC in the domain and maintains phantoms that are held in the DCs database
It checks phantom record data against the corresponding GC entries
If changes to the referenced objects are detected these are replicated to all other DCs in the domain z

The Infrastructure Master should not be run on the GC

No phantom records to check!

Kimberry _______
Associates

70

Extending the Schema

Create new object class

Existing attributes

Existing object class Can be used with existing object instances New attribute

Add to existing object class

The Schema can be extended by creating new object classes and attributes
Kimberry _______
Associates

71

OIDs
Object classes, attributes and syntaxes are defined using OIDs The preferred method of obtaining an OID is to obtain your own root ID
web.ansi.org/public/services/reg_org.html www.iso.ch/addresse/membodies.html

You can register a prefix and obtain an OID from

http://msdn.microsoft.com/certification/adreg.asp Kimberry _______
Associates

72

Modifying Schema Objects

Modifications to existing Schema objects are restricted There are two categories of objects
Category 1 are shipped with Windows 2000 in the base Schema Category 2 are Schema objects that are subsequently added

Category 1 objects are identified by the 0x10 bit being set in the systemFlags
This value cannot be changed The systemFlags also define if the object can be moved, deleted or renamed
Kimberry _______
Associates

73

Extending the Schema

The preferred method is to use LDIF scripts
Alternatives are: programmatically or via the UI

It is necessary to update the Schema cache prior to using the extensions

Automatic after 5 minutes Use the operational attribute schemaUpdateNow

Kimberry _______
Associates

74

Schema Protection
Only members of the Schema Admins group can make changes to the schema
Make sure that the Schema administrators are aware of their responsibilities

A safety interlock is provided in the Registry before changes can be made

HKLM\SYSTEM\CurrentControlSet \Services\NTDS\Parameters\SchemaUpdateAllowed

Can be enabled via the Schema Manager

Kimberry _______
Associates

75

Example LDIF Script

dn: CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=example,dc=com changetype: add adminDescription: ms-Exch-Schema-Version-Pt adminDisplayName: ms-Exch-Schema-Version-Pt attributeID: 1.2.840.113556.1.4.7000.102.97 attributeSyntax: 2.5.5.9 isMemberOfPartialAttributeSet: FALSE isSingleValued: TRUE lDAPDisplayName: msExchSchemaVersionPt name: ms-Exch-Schema-Version-Pt oMSyntax: 2 objectCategory: CN=Attribute-Schema,cn=schema,cn=configuration,dc=example,dc=com objectClass: attributeSchema rangeLower: 1 rangeUpper: 1 schemaIdGuid:: 1ZiBX8nnYEWxZgjcfPwXwQ== searchFlags: 0 dn: changetype: modify replace: schemaUpdateNow schemaUpdateNow: 1 dn: CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=example,dc=com changetype: modify replace: rangeUpper rangeUpper: 4397 dn: changetype: modify replace: schemaUpdateNow Kimberry _______
Associates

schemaUpdateNow: schemaUpdateNow: 1

76

Example LDIF Script

The example script shows the final Schema changes when installing Exchange 2000
The rangeUpper value of the ms-Exch-Schema-Version-Pt attribute identifies the schema extensions build number
RC1 = 4197, RC2 = 4364, and RTM = 4397

Execute the script using:

ldifde s srv1 i f c:\script.ldf

Kimberry _______
Associates

77

Deletion of Schema Objects

In Windows 2000, once an object or attribute has been added to the Schema it cannot be deleted
It can be disabled (isDefunct=TRUE)

Windows .NET will allow Schema objects set as defunct to have their identification properties reused
E.g. OID, ldapDisplayName, mapiId Identification properties can only be redefined if the Forest is in .NET functional level or higher

Kimberry _______
Associates

78

Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

79

AD Architecture
LDAP/ADSI Replication transports REPL NT SAM calls SAM Outlook clients MAPI

LDAP

Directory Service Agent (DSA)

DB Layer

Extensible Storage Engine

Kimberry _______
Associates

80

ESE
Originally code named JET Blue
Completely different to the Access database (JET Red) ESE97 Exchange 5.5 ESENT Windows 2000 (esent.dll)
Uses the same format and engine ulVersion (620,2) as ESE97

ESE98 Exchange 2000

Additional enhancements, including streaming file support
Kimberry _______
Associates

JET = Joint Engine Technology

81

Whats Required?
A fast and highly optimised way of storing and retrieving loosely-structured and semistructured data Integrity and crash survival (ACID)
Transactions are:
Atomic Consistent Isolated Durable
Kimberry _______
Associates

82

Transaction Logging
Update Checkpoint

c
Database write request

edb.chk

ESE
f

Calculate database changes

Commit transaction

d
Transaction buffer

Write to database

g
ntds.dit

Confirm database write

Write to log file

e
edb.log

The write is only confirmed once the transaction has been written to the log file Kimberry _______
Associates

83

Log Files
There is always a delay between the transaction log being written and the transaction being committed
This delta is referred to as the checkpoint depth

The current log file is always edb.log

The older logs are identified as edb0000x.log
x is an incrementing hex number

The log file size is 10 MB

Kimberry _______
Associates

84

Circular Logging
The Active Directory uses circular logging (no supported way of disabling)
When all the transactions in the log file have been committed, the file is deleted

Non-circular logging is mainly used for incremental backup

The System State, which includes the directory, must be backed up as a single entity Circular logging is used because other components of the System State do not support Kimberry _______ incremental backup Associates

85

Recovery
If the system crashes before all of the transactions are committed, the lost transactions are recovered from the log file ESE determines which transactions have been committed by reading the dbTime value in the log file
edb.chk is only used to identify which log files should be checked
This speeds up the operation
Kimberry _______
Associates

86

File Summary

ntds.dit

edb.log

edb0000x.log

edb.chk

res1.log

res2.log

ntds.pat

For maximum fault tolerance and performance use hardware arrays

Database RAID 5 Log files RAID 1 or RAID 0 + 1
Kimberry _______
Associates

87

Backing up the Directory

3. Backup the database In 64K blocks 4. 5. 6. 7. Create a new edb.log Backup all logs created since the frozen Checkpoint Backup the patch file Delete logs prior to the checkpoint

ntds.dit

Check point

edb018.log edb019.log edb020.log edb021.log

edb.log

1.Commit dirty pages

2. Freeze checkpoint

Database Transactions transactions continue

Transactions that cause fundamental changes to the structure, for instance B-tree page splits are written to the patch file

ntds.pat

Kimberry _______
Associates

88

ntdsutil
ntdsutil is the primary tool for checking the database files
Invokes esentutl

The system must be started in the Active Directory Restore mode

Soft Recovery of the Log Files
Performed by DSA at startup if the previous shutdown was not clean

File Integrity check

Low-level binary check of all data

Semantic database analysis

Checks, references, deleted objects, container references, security descriptors Kimberry _______
Associates

89

Other ntdsutil Options

Repair
Should only be used if backups are not available
There is no guarantee that it will work

Offline defragmentation
Online defragmentation automatically occurs every 12 hrs
Recovers storage, but does not reduce the size of the database files

Move
Changes the location of the database and log files

Kimberry _______
Associates

90

Object Deletion
On deletion
IsDeleted set TRUE Marked as Tombstoned
Default tombstone life 60 days

Strips most attributes from object

Key attributes retained, defined by attribute search flag

Moved to Deleted Objects container

Kimberry _______
Associates

91

Garbage collection
Deleted objects with an expired tombstone are removed by the garbage collection services Default garbage collection every 12 hours

Kimberry _______
Associates

92

Be Careful
Always do a full system backup before making any changes to the database Backup before and after moving the database Backups are only valid for the tombstone period

Kimberry _______
Associates

93

Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

94

Object Access
ACE

ACEs can apply to specific attributes

ACL

Directory Object

Sales SalesManagers Managers read readaccess access

Access to directory objects is controlled via Access Control Lists (ACLs)

Fine granularity is provided by Access Control Entries (ACEs) that apply to specific attributes and actions (Extended rights)

Kimberry _______
Associates

95

UI Security Tab
%SystemRoot%\System32\dssec.dat [serviceInstance] @=7 adminDescription=7 adminDisplayName=7 Do NOT display object

[user] aCSPolicyName=7 adminCount=7 allowedAttributes=7 allowedAttributesEffective=7 allowedChildClasses=7

Displayed attributes controlled by a file

[volume] adminDescription=7 adminDisplayName=7 allowedAttributes=7 allowedChildClassesEffective=7

Do NOT display attribute

Kimberry _______
Associates

96

Anatomy of an ACE (simplified)

ACE Type Inheritance Audit
Allowed Access Denied Audit Access Success Fail Applies to Attribute Extended right

Access Mask Object Type Inherited Object Type Trustee(SID)

Object

Identifies security principal to which the ACE applies Specifies type of access Delete Read/Write object security

Generic Read/Write access to object and all attributes Create/Delete child Read/Write property Extended write operation

Kimberry _______
Associates

97

Extended Rights
Only a limited number of operations can be defined through the access mask
Extended rights are used to define special operations and property sets
Special operations include resetting passwords, managing replication and changing FSMO roles

Extended rights are identified by ControlAccessRight objects created in

cn=extended-rights,cn=configuration
Kimberry _______
Associates

98

Extended Rights (continued)

cn=personal-information appliesTo user

ACL
RightsGUID Added to attributeSecurityGUID for all members of the property set

The objects to which extended rights apply are defined in the appliesTo attribute
z

Access to an extended right is controlled by adding the rightsGUID attribute value to the objects ACL

The rightsGUID also identifies the attributes that are members of a property set Kimberry _______
Associates

99

Property Sets
Property Sets (Attribute Sets) allow attributes to be grouped
Read/Write access to the set is controlled using a single ACE

The set is identified by a GUID

All members of the same set have the same GUID in their attributeSecurityGUID property

An example of a property set is a users personal details: address, phone, etc

GUID: 86b8b5774a94d1
Kimberry _______
Associates

100

Detective Work
We want to confirm that the user Notes property is a member of the Personal Information property set

Kimberry _______
Associates

101

Solving the Problem

Check locale HKCU\ControlPanel\International Map UI display name to ldapDisplayName Use display specifiers Map LdapDisplayName to attributeSchema object Use LDP or Schema Manager Lookup attributeSecurityGUID Do GUIDs Match? Lookup rightsGUID for Personal-Information ControlAccessRight object in the Extended-Rights container

Kimberry _______
Associates

102

ACEs
DENY SID1 W Allow SID3 RX Allow SID1 RX Allow SID3 W

Each ACE grants or denies permissions for an individual security principal The ACL is only checked until the requested access has been granted or denied
Kimberry _______
Associates

103

Canonical Ordering
ALLOW DENY administrators NETWORK Full RD ALLOW DENY administrators NETWORK Full RD ALLOW Users RD

Canonical order of ACEs has always been encouraged

All access denies are placed in advance of access allows

Non-canonical ordering is now considered valid in certain circumstances

Hidden distribution lists in Exchange 2000
Kimberry _______
Associates

104

Viewing Non-Canonical ACLs

Active Directory Users and Computers

Active Directory Users and Computers after installing Exchange 2000

Exchange 2000 replaces the IsecurityInformation interface

Kimberry _______
Associates

105

Object ACLs
OU

ACL applies to OU ACL ACL Inheritable ACL ACL Directory Object ACL

Explicit ACL

Objects can inherit ACLs as well as having them explicitly set

Kimberry _______
Associates

106

ACE Ordering
Explicit
DENY SID20 W DENY SID15 RWX Allow SID3 R DENY SID1 RWD Allow SID1 R Allow SID11 R Allow SID3 W Allow SID31 W

Inherited

An objects explicit ACEs are checked in advance of inherited ACEs

This can result in non-canonical order in the concatenated ACLs
Kimberry _______
Associates

107

Inheritance Propagation
ACL ACL ACL ACL

ou ou

ou

ou ou ou

ou

ou

ACL
ou ACL

ACL
ou ACL

ACL ou

ACL ou

Inheritable ACLs can be propagated throughout the domain or a subtree of OUs

Kimberry _______
Associates

108

Controlling Inheritance

ACL ACL

ou ou ou

ou

ACL

ou ou ou

ou

ou

ACL

ou

ACL

ou

ou

Inheritance restricted to one level

Protected child object

Kimberry _______
Associates

109

ACE Inheritance
ACE Type Inheritance Audit Access Mask Object Type Inherited Object Type Trustee(SID)
Inheritance FLAGS Inherit this ACE Only propagate one level Inherit only ACE does not apply to this object This ACE was inherited Object Applies to Attribute Extended right

Object type that will inherit this ACE All objects OR object specified by GUID

The SE_DACL_PROTECTED flag in the objects security descriptor control prevents the object from inheriting ACEs from its parents

Kimberry _______
Associates

110

dsacls
C:\>dsacls C:\>dsaclscn=jill,dc=child,dc=example,dc=com cn=jill,dc=child,dc=example,dc=com Access list: Access list: Effective EffectivePermissions Permissionson onthis thisobject objectare: are: Allow CHILD\Domain Admins FULL Allow CHILD\Domain Admins FULLCONTROL CONTROL Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow BUILTIN\Account Operators FULL Allow BUILTIN\Account Operators FULLCONTROL CONTROL Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forPersonal PersonalInformation Information WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forPhone Phoneand andMail MailOptions Options WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forWeb WebInformation Information WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\Authenticated Users Allow NT AUTHORITY\Authenticated Users SPECIAL SPECIALACCESS ACCESSfor forPersonal PersonalInformation Information READ PROPERTY READ PROPERTY

Available via the Support Tools

Kimberry _______
Associates

111

Initial Object ACL

OU
ACL Directory Object ACL ACL Inheritable ACL

Explicit ACL from the schema

Set programmatically during creation Inherit ACL from parent and combine with explicit Schema default ACL for the particular object type Kimberry _______

Kimberry _______
Associates

112

Controlling Object Visibility

ACL

Remove explicit Read for Authenticated Users X

Sales data
X

Read volume objects: sales domain users corporate managers

X

For many of the objects, the default ACL from the schema provide Read for the Authenticated Users
To control the visibility, this ACE must be removed
Kimberry _______
Associates

113

Modifying the Default Explicit Permissions

The the default permissions stored in the Schema could be modified
Location: defaultSecurityDescriptor attribute Stored as an SDDL Unicode string

The permissions from the schema can be reapplied using dsacls /S /T Check if schema defaults apply to an object with acldiag /schema
SDDL = Security Descriptor Definition Language

Kimberry _______
Associates

114

List Object Mode

G1: list contents List contents allows users to see the existence of contained objects even if access is denied to some of those objects G1: list object

G1: access allowed

G1: access allowed

G1: access denied

The List Object mode allows the contained objects to be hidden

Caveat: additional CPU cycles required for access checking
Kimberry _______
Associates

115

Selecting List Object Mode

Set the third dsHeuristic flag to 1
If the dsHeuristic attribute is not already set, set it to 001 to enable object mode If the attribute already contains a value modify it appropriately
Remember the first two flags control the ANR search algorithm

Kimberry _______
Associates

116

AdminSDHolder
If different, replace and disable inheritance
ACL ACL

Template ACL

Member of administrators group

cn=AdminSDHolder,cn=system,dc=domain,dc

The ACL on user accounts that are domain administrators are automatically set and refreshed to enhance security
The propagator thread runs every hour on the PDC FSMO
Kimberry _______
Associates

117

Default Template
The default ACL template on AdminSDHolder cannot be fully edited through the UI
For example, there is no Change Password ACE for a container

Change the template with dsacls

dsacls cn=adminsdholder,cn=system,dc=. /G Everyone:CA;Change Password

Kimberry _______
Associates

118

Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

119

Problem
The European division is a child domain of corporate HQ in the US
The European Domain Administrators need to authorize their own DHCP servers
Authorization fails

HQ is not prepared to elevate the European domain admins to Enterprise admins How do you solve the dilemma?
Kimberry _______
Associates

120

Solution
Enable auditing on the directory

Attempt to authorize the DHCP server

View the failed access in the security log

Adjust the security on the directory objects

Iterate until the problem is solved

Smile

Kimberry _______
Associates

121

Solution
cn=NetServices,cn=Services,cn=Configuration,dc=example,dc=com
ACL

Enable creation of dHCPClass objects Enable updating of the DhcpRoot cn=DhcpRoot 2. Update root X

ACL

dHCPClass objects

cn=netads01.example.com 1. Create child object cn=netads03.child.example.com

Kimberry _______
Associates

122

Delegation of Control Wizard

The tasks presented in the delegation of control wizard are controlled through the template file %SystemRoot%\inf\delegwiz.inf The options displayed in the custom tasks are controlled via dssec.dat

Kimberry _______
Associates

123

delegwiz.inf
Classes template applies to [Version] signature="$CHICAGO$" [DelegationTemplates]

Does not specify the domain. Domain LDAP name domainDNS

Templates = template1, template3, template4, template5 ;-----------------------------------------------------[template1] AppliesToClasses=domainDns,organizationalUnit,container Create & delete user objects @ specifies class defined on the ObjectTypes line GA Generic All (full control) Description = "Create, delete, and manage user accounts" ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC Applies to this object and all objects Applies to user objects

[template1.user] @=GA ;------------------------------------------

Kimberry _______
Associates

124

Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

125

Creating Domains
dcpromo creates a new DC
Initial database from \system32\ntds.dit Default objects in DIT from \system32\schema.ini

Three log files track the promotion process

Located in %SystemRoot%\Debug
Kimberry _______
Associates

126

Log Files
dcpromoui.log Logs user interaction with the wizard and the promotion process Increase logging levels via the Registry value dcpromoui HKLM\Software\Microsoft\Windows\ CurrentVersion\AdminDebug dcpromo.log Logs promotion process dcpromos.log Logs domain upgrades
Kimberry _______
Associates

127

Promotion Failure
If the promotion stops
Dont automatically cancel the wizard Troubleshoot and you may be able to complete the promotion Check the logs if the message from the AD Installation Wizard is unclear

Kimberry _______
Associates

128

Interpreting Error/Results Codes

Interpret decimal codes via
net helpmsg xxx SDK files winerror.h or lmerr.h
If the error does not appear in winerror.h try subtracting 2100 and looking it up in lmerr.h

Error codes in the format 8007xxxx

Require the 8007 to be dropped and xxxx converted from hex to decimal
Kimberry _______
Associates

129

Updating the Display Specifiers

During the promotion process for the first domain in a new forest, dchelp.exe is added to the RunOnce key
Executes at first logon

dchelp.exe uses csvde to import over 1000 display specifier settings into the AD Data files dcpromo.csv , 409.csv (409.csv .NET only)
Check for successful completion in dcpromohelp.log
Kimberry _______
Associates

130

Rock-Solid DNS is Vital

DNS is pivotal to the integrity of the Active Directory
Incorrect DNS configuration can result in poor system response and failures

Use nslookup to check DNS lookups and registrations

Kimberry _______
Associates

131

DNS Health Check

Kimberry _______
Associates

132

More Details Required?

15:42:16 674 PACKET UDP Snd 10.20.50.2 UDP response info at 00783F3C Socket = 292 Remote addr 10.20.50.2, port 1036 Time Query=17256, Queued=0, Expire=0 Buf length = 0x0500 (1280) Msg length = 0x007c (124) Message: XID 0x00ba Flags 0x8583 QR 1 (RESPONSE) OPCODE 0 (QUERY) AA 1 TC 0 RD 1 RA 1 Z 0 RCODE 3 (NXDOMAIN)

Debug logging

Kimberry _______
Associates

133

Replication During Installation

DC Use dcpromo to promote server to DC

AD replication via network

Potential show stopper for branch offices with slow/intermittent links

Workaround replicate locally and ship hardware

Hinders fast deployment of multiple DCs across the same LAN

Kimberry _______
Associates

134

Solution - Install From Media

Windows Backup backup system state DC Target server dcpromo /adv Restore to an alternative location

Store to media: DVD CDROM Tape File System

Kimberry _______
Associates

135

Promotion
Original DC Target server

Still requires network connectivity for

Location of appropriate DC via DNS Creation/Replication of meta data Replication of SYSVOL data Replicating changes since backup image was taken
Kimberry _______
Associates

136

Retiring DCs and Domains

dcpromo is used to gracefully retire domain controllers and domains If a dc or domain is lost, their meta data must be removed from the forest If a DC becomes orphaned dcpromo cannot be used to convert the DC back to a member server
Kimberry _______
Associates

137

Metadata Cleanup
ntdsutil can be used to clean the metadata from the forest
Before using check that all domain controllers are fully replicated

Use the metadata cleanup operation to delete:

references to servers references to domains

See Q230306, Q216498

Kimberry _______
Associates

138

Retiring an Orphaned DC
Instead of reinstalling you can try the following:
Reboot into Directory Services Restore mode Edit the registry key
\HKLM\SYSTEM\CCS\Control\Product Options

Change ProductType from LanmanNT to ServerNT Delete the AD database and log files Restart and the computer will be a member server To complete the cleanup promote the server into a new domain and then demote again

Kimberry _______
Associates

139

Deleting the NTDS Settings Object on Windows .NET

Kimberry _______
Associates

140

Functionality Levels
Initial compatibility with current systems is always important
Some new features may not be compatible with older systems
Windows 2000 Native mode only enabled after all the Windows NT 4 BDCs have been retired

Mixed/Native mode was not designed to be extensible

Functionality levels are future proof

Kimberry _______
Associates

141

Identifying the Functionality Level

A new attribute msDC-Behavior-Version holds the functionality level
This attribute is used with three objects
NTDS Settings
Shows the functionality level of the DC

Domain Object (domainDNS)

Show the current domain functionality level

Partitions Container
Shows the current forest functionality level

If the attribute is missing then the version is taken as 0 (Windows 2000) Kimberry _______
Associates

142

.NET Domain Functionality

Only supports .NET DC Interoperability Added functionality
Domain controller rename Update logon timestamp Kerberos KDC key version numbers User password on InetOrgPerson

Kimberry _______
Associates

143

.NET Forest Functionality

Only supports .NET domain controllers
GC replication tuning Defunct Schema objects Transitive inter forest trusts Linked value replication Renaming domains Improved replication algorithms Dynamic auxiliary classes InetOrgPerson object class change
Kimberry _______
Associates

144

.NET Interim Forest

.NET Interim is supported for upgrades from Windows NT
Improved replication algorithms for ISTG Linked value replication

Not supported on Windows 2000 domain controllers

Kimberry _______
Associates

145

Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates

146

Replication Model
Replication is at attribute level
The replication model is described as multimaster, loose consistency with convergence
Multimaster
Changes can be made at any DC

Loose consistency
There is a latency between changes being made and their availability throughout the enterprise

Convergence
Eventually the changes will propagate to all DCs and conflicts will have to be detected and resolved Kimberry _______
Associates

147

Identifying Changes
USN 1327 USN 1326 USN 1325 USN 1324 USN 1323 USN 1322 USN 1321 SRV1 Send me your changes I have all changes up to USN 1324 SRV2 High-watermark Before:1324 After: 1327

An Update Sequence Number (USN) tracks changes to attributes

Each replication partner maintains highwatermark vectors which identify the highest USN that they have received from each partner

Kimberry _______
Associates

148

Propagation Dampening
Originating database & USN Send USN 2237 USN 2236 USN 2235 USN 2234 USN 2233 USN 2232 USN 2231 SRV1 USN 2237 9 SRV3 USN 5432 9 SRV1 USN 2235 9 SRV3 USN 5430 8 SRV1 USN 2233 9 SRV1 USN 2232 SRV1 USN 2231 SRV1 Send me your changes I have all changes up to USN 2232 I have all the changes from SRV 3 up to USN 5430 SRV2

SRV3

Attributes change due to originating writes or received replicas

Both types of change increment the USN Propagation dampening stops replicating the same information from two different sources
Kimberry _______
Associates

149

More details
The up-to-date vectors control propagation dampening
The originating database is identified by the DSA GIUD
This is the invocationId property of the NTDS settings object

Every time an attribute changes its version number is incremented by one

Kimberry _______
Associates

150

Observing Metadata
C:\>repadmin C:\>repadmin /showmeta /showmeta cn=g1,dc=child,dc=example,dc=com cn=g1,dc=child,dc=example,dc=com Loc.USN Loc.USN originating originating DSA DSA Org.USN Org.USN Org.Time/Date Org.Time/Date Ver Ver Attribute Attribute ======= =============== ======= ============= === ========= ======= =============== ======= ============= === ========= 9845 9845 9845 London\Srv1 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectClass objectClass 9845 London\Srv1 9845 2002-09-07 15:34.02 1 cn 9845 London\Srv1 9845 2002-09-07 15:34.02 1 cn 9847 9847 9847 London\Srv1 London\Srv1 9847 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 description description 9863 9863 9863 London\Srv1 London\Srv1 9863 2002-09-07 2002-09-07 15:41.53 15:41.53 2 2 member member 9845 London\Srv1 9845 2002-09-07 15:34.02 1 instanceType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 instanceType 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 whenCreated whenCreated 9845 London\Srv1 9845 2002-09-07 15:34.02 1 nTSecurityDescriptor 9845 London\Srv1 9845 2002-09-07 15:34.02 1 nTSecurityDescriptor 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 name name 9845 9845 9845 London\Srv1 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectSid objectSid 9845 London\Srv1 9845 2002-09-07 15:34.02 1 sAMAccountName 9845 London\Srv1 9845 2002-09-07 15:34.02 1 sAMAccountName 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 sAMAccountType sAMAccountType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 groupType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 groupType 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectCategory objectCategory

Kimberry _______
Associates

151

Authoritative Restores
The system is booted into AD Restore mode and the system state restored from backup
ntdsutil is used to mark a branch of domain or configuration NCs as authoritative
This bumps the version numbers of all the attributes by 100,000 for each day since the original backup
Kimberry _______
Associates

152

Authoritative Restore Issues

Reinstatement of old passwords may effect trusts and computer accounts Possible loss of group membership information
If restored group replicates before restored group members the receiving DC will delete the missing members from the group
After replication has completed, create create a dummy user in the affected groups to replicate the correct membership

Kimberry _______
Associates

153

SYSVOL Replication
Multimaster replication of files and folders Uses intersite schedules Replicates file and folder attributes including ACLs.

Kimberry _______
Associates

154

Resolving Conflicts
Unique stamp version Originating time Originating DSA GUID Replicated attribute

If replica version number higher accept change else if originating time later accept change else tie-break on Originating DSA GUID

Normally last writer wins, but this is not always true

It is possible for the same attribute to be simultaneously updated at multiple locations

The DC checks that the replica is newer than the current version it holds before accepting the change

Kimberry _______
Associates

155

Other Issues
An add or move operation to a container is performed on one DC as the container is deleted on another
The object is placed in the LostAndFound container

Adding or moving objects on different DCs results in the objects having the same DNs
The RDN of the newer object is retained The RDN of the other object becomes: RDN*CNF:<object GUID>
Kimberry _______
Associates

156

Multivalued Attributes
Sally Members John Members

G1
SRV1

Rod Jane SRV2

G1

Chloe Pete

On Replication newer attribute wins

Multivalued attributes are replicated as a single entity If the same group is simultaneously updated, after replication only one set of users will be retained
Kimberry _______
Associates

157

Solution: Linked Value Replication

Store replication metadata per-value for multivalued linked value attributes
Replicate individual changes instead of whole membership Eliminates 5000 direct-member limit

Storage and protocol incompatible with Windows 2000 - only works with Windows .NET
Requires Windows .NET Forest Mode
Kimberry _______
Associates

158

And There is More

If youve enjoyed this seminar
Tell your friends, ask your local Microsoft subsidiary when we will be in your area next! We will be presenting it as a preconference session at MEC and IT Forum

Hope to see you at Microsoft MEC and/or Microsoft IT Forum

Kimberry _______
Associates

Microsoft IT Forum
19-23 November, Copenhagen, Denmark Get CONNECTED at Europes Premier Conference for technology professionals.

159

Save 300 if you take advantage of the early bird special by registering on or before 21 October 2002.
http://www.microsoft.com/europe/itforum/ Hear from Microsoft executives and technical experts Choose from over 140 technical breakout sessions Attend extensive hands-on training labs Explore the hottest new tools and technologies

....connect

Take advantage of the company or individual TechEd Attendee Discount. Kimberry _______
http://www.microsoft.com/europe/itforum/special.asp
Associates

160

k n ha

o f u o y

o c r

g n i m

Kimberry _______
Associates