International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

RESEARCH ARTICLE

OPEN ACCESS

An Advanced approach of Active Directory Techniques

Purna Chnadra Rao [1], Venkatesh Parmi [2]
Senior Consultant [1], Consultant [2]
Research and Development
Microsoft, Hyderabad
Telugana India

ABSTRACT
In this paper we have proposed a advanced new approach of active directory techniques which
is used to avoid the security loop holes of an entire organization AD. Active directory is a
concept of Microsoft Servers to maintain the entire organization which is designed with help
of Data structures Tree concept. A group of Tree we can say a forest like that a group of
Computers in an organization also called forest and a group of forest called Active directory.
Microsoft implemented the same concept and they introduced called Active directory and now
there have plenty of versions.
Keywords:- AD, NT, FSO, Domain, Forest
Active Directory, like many informationI. INTRODUCTION
technology efforts, originated out of a
democratization of design using Request for
As per Wikipedia and MSDN, Active
Comments or RFCs. The Internet
Directory (AD) is a directory service that
Engineering Task Force (IETF), which
Microsoft developed for Windows domain
oversees the RFC process, has accepted
networks and is included in most Windows
numerous RFCs initiated by widespread
Server operating systems as a set of
participants. Active Directory incorporates
processes and services.[1][2]
decades of communication technologies into
the overarching Active Directory concept
An AD domain controller authenticates and
then
makes
improvements
upon
authorizes all users and computers in a
them.[citation needed]
Windows domain type networkassigning
and enforcing security policies for all
computers and installing or updating
software. For example, when a user logs into
a computer that is part of a Windows
domain, Active Directory checks the
submitted password and determines whether
the user is a system administrator or normal
user.[3]
Active Directory makes use of Lightweight
Directory Access Protocol (LDAP) versions
2 and 3, Microsoft's version of Kerberos,
and DNS.
ISSN: 2454-5414

For example, Lightweight Directory Access

Protocol (LDAP), a long-standing directory
technology, underpins Active Directory.
Also
X.500
directories
and
the
Organizational Unit preceded the Active
Directory concept that makes use of those
methods. The LDAP concept began to
emerge even before the founding of
Microsoft in April 1975, with RFCs as early
as 1971. RFCs contributing to LDAP
include RFC 1823 (on the LDAP API,

www.ijitjournal.org

Page 1

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

August 1995),[4] RFC 2307, RFC 3062, and

RFC 4533.[citation needed]
Microsoft previewed Active Directory in
1999, released it first with Windows 2000
Server edition, and revised it to extend
functionality and improve administration in
Windows
Server
2003.
Additional

improvements came with Windows Server

2003 R2, Windows Server 2008, and
Windows Server 2008 R2. With the release
of the last, Microsoft renamed the domain
controller role (see below) as Active
Directory Domain Services (AD DS). It is
also included in Windows Server 2012 and
Windows Server 2012 R2.

II. ACTIVE DIRECTORY SECURITY ARCHITECTURE

ISSN: 2454-5414

www.ijitjournal.org

Page 2

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

III.

FSMO ROLE FAILURE

Some of the operations master roles are

essential for AD functionality, others can be
unavailable for a while before their absence
will be noticed. Normally it is not the failure
of the role, but rather the failure of the DC
on which the role is running.
If a DC fails which is a role holder you can
seize the role on another DC, but you should
always try and transfer the role first.
Before seizing a role you need to asses the
duration of the outage of the DC which is
holding the role. If it is likely to be a short
outage due to a temporary power or network
issue then you would probably want to wait
rather than seize the role.
2.1 Schema Master Failure

ISSN: 2454-5414

In most cases the loss of the schema master

will not affect network users and only affect
Admins if modifications to the schema are
required. You should however only seize
this role when the failure of the existing
holder is considered permanent.
Note: A DC whose schema master role has
been seized should never be brought back
online
2.2 Domain Naming Master Failure
Temporary loss of this role holder will not
be noticeable to network users. Domain
Admins will only notice the loss if they try
and add or remove a domain in the forest.
You should however only seize this role
when the failure of the existing holder is
considered permanent.

www.ijitjournal.org

Page 3

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

Note: A DC whose schema master role has

been seized should never be brought back
online
2.3 RID Master Failure
Temporary loss of this role holder will not
be noticeable to network users. Domain
Admins will only notice the loss if a domain
they are creating objects in runs out of
relative IDS (RIDs). You should however
only seize this role when the failure of the
existing holder is considered permanent.
Note: A DC whose schema master role has
been seized should never be brought back
online
2.4 PDC Emulator Master Failure
Network users will notice the loss of the
PDC emulator. If the DC with this role fails
you may need to immediately seize this role.
Only pre Windows 2000 clients and NT4
BDCs will be affected.
If you seize the role and return the original
DC to the network you can transfer the role
back.
2.5 Infrastructure Master Failure
Temporary loss of this role holder will not
be
noticeable
to
network
users.
Administrators will not notice the role loss
unless they are or have recently moved or
renamed large numbers of accounts.

ISSN: 2454-5414

If you are required to seize the role do not

seize it to a DC which is a global catalogue
server unless all DCs are global catalogue
servers.
If you seize the role and return the original
DC to the network you can transfer the role
back.
In Non-AD integrated DNS, DNS saves all
the data in text format in dns file, located at
system32\dns\ZoneName.com.dns
and
performs replication of data between DNS
servers with the help of Zone transfers.
However, when DNS is integrated with AD,
it saves the data in binary format in AD
database NTDS.dit. In AD database there
are multiple logical partitions which holds
specific information with a scope to
replicate at Domain or Forest level. For
integrated applications like Exchange and
DNS etc, there is some additional partition
created inside AD database. Below poster
explains
points:
1) What partitions are used by DNS
2) What kind of DNS information is saved
in
these
Partition
3) What is the replication scope of these
DNS partitions

www.ijitjournal.org

Page 4

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

When DNS is installed Along with AD it is stored in domain partition. But if DNS is installed after
installing AD it is stored in configuration partition

ISSN: 2454-5414

www.ijitjournal.org

Page 5

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

IV. CONCLUSION
Thus, we design an efficient method to
secure highly confidential and restricted
areas in Active directory. This method will
be useful not only at present but also in
future based on the next version of Active
directory.
REFERENCE

ISSN: 2454-5414

www.ijitjournal.org

[1] https://msdn.microsoft.com/enus/library/cc723503.aspx
[2] http://en.wikipedia.org/wiki/Active_
Directory
[3] http://sennovate.com/an-overviewof-windows-active-directory/
[4] http://www.ucs.cam.ac.uk/support/wi
ndowssupport/winsuptech/activedir/fsmorol
es
[5] Active
Directory:
Designing,
Deploying, and Running Active
Page 6

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

Directory Paperback by Brian

Desmond, Joe Richards, Robbie
Allen
[6] Active Directory Cookbook 4ed
(Cookbooks (O'Reilly)) by Brian

ISSN: 2454-5414

www.ijitjournal.org

Svidergol (Author), Robbie Allen

(Author)
[7] Tony
Redmond's
Exchange
Unwashed By Tony Redmond

Page 7