Sie sind auf Seite 1von 160

Active Directory Internals

Windows 2000 and Windows .NET

John Craddock
Principal Consultant
v-jcradd@microsoft.com jcrad@kimberry.co.uk

Sally Storey
Consultant
sallysto@kimberry.co.uk

Kimberry
_______
Associates
2

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Securing Directory Objects
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
3

Lots of Demos!

netads01

example.com
London site

netads02

netads03
child.example.com

NewYork site

netads04

Kimberry
_______
Associates
4

Demonstration Environment
Windows XP
Host
netads01 netads02 netads03 netads04

Virtual
network
10.20.0.0
4 virtual machines running Windows .NET Enterprise Server

• Host running VMware Workstation 3.1


– VMs configured for repeatable resume

Kimberry
_______
Associates
5

Windows 2000 and .NET

• The majority of topics apply equally well


to Windows 2000 and .NET
– All the demonstrations will be performed on
.NET
• Features that apply specifically to .NET
are identified

Kimberry
_______
Associates
6

Health Warning!!

• In this seminar we will show the use of


tools that will allow direct access to AD
objects and attributes
• Always test any changes before
implementing them in a production
environment
– You could always make mistakes!

Kimberry
_______
Associates
7

Seminar Slides

• Not all slides in this published slide deck


will be presented

• Excess slides have been included as


background material

Kimberry
_______
Associates
8

Things to Watch out For


• More level-400 seminars under development
• Book on digging deep into AD nearly
complete!
– In our skills rating this book is extreme
• For proper computer geeks and nerds, no impostors…
• If you are interested in receiving further
information, on future seminars and/or books
please email
sales@kimberry.co.uk
• For consultancy engagements, please
contact
sallysto@kimberry.co.uk
Kimberry
_______
Associates
9

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Object Security/Securing Directory Objects
• Advanced Administration/Advanced
Delegation
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
10

Let’s Make it Simple


• The directory is a container for objects
• It provides a mechanism for a logical
representation of disparate entities to be
stored in a common directory
– The entities can be physical devices or services
• Sub-containers can group objects to simplify
management of objects with commonality

Kimberry
_______
Associates
11

Grouping Objects
• Management tasks include:
– Controlling object visibility
– Controlling access to objects
– Maintaining attribute values
– Identifying users and computers that will share
a common group policy
• Designed correctly, the AD will provide an
ideal abstraction of resources for both users
and management

Kimberry
_______
Associates
12

An Ideal Model
Simple user access to
Delegated Administration data and resources

Group Policy
Resource Access

Hierarchy for management


Kimberry
_______
Associates
13

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Securing Directory Objects • Importing and Exporting
Directory Objects
• Advanced Delegation of • Extending the User
Administration Interface
• Replicating the Directory
• Creating the Active Directory • Adding Naming
• Replication Contexts
• The Global Catalog
• The Schema
Kimberry
_______
Associates
14

Representing Entities
Attributes

Attribute values may be


individually set or
Object Entity
synchronized with the
entity’s properties

• An object may simply publish the existence


of the entity or control its behaviour
– Object attributes represent the entity’s
properties
Kimberry
_______
Associates
15

Object Access ACEs can apply to


specific attributes
ACE
ACL
Sales
SalesManagers
Managers
Directory read
readaccess
access
Object

• Access to directory objects is controlled


via ACLs
– Fine granularity is provided by ACEs that
apply to specific attributes
• Access control is key to controlling
visibility and delegating administration
Kimberry
_______
ACL = Access Control List, ACE = Access Control Entry Associates
16
xyzgroup.com
Naming Objects
mining.xyzgroup.com
UK USA

cn=john,ou=legal,ou=ed,ou=uk LN ED

dc=mining,dc=xyzgroup,dc=com
sales legal
legal

• Every object is identified


John
by a unique Distinguished Name
– Each component of the DN is referred to as the
Relative Distinguished Name (RDN)
– In addition to a DN (which may change), the
object is uniquely identified by a GUID
Kimberry
_______
cn = common name, ou = organizational unit, dc = domain component Associates
17

Naming Contexts
mining.xyzgroup.com xyzgroup.com

Domain NC:
dc=mining,dc=xyzgroup,dc=com

Configuration NC: cn=configuration,dc=mining,dc=xyzgroup,dc=com

Schema NC: cn=schema,cn=configuration,dc=mining,dc=xyzgroup,dc=com

• A Naming Context identifies a partition of the


DIT
– Each NC is individually replicated
Kimberry
_______
DIT = Directory Information Tree Associates
18

The Global Catalog


The GC is hosted on a DC in domainX
The GC responds
to LDAP queries
DomainX objects
on port 3268

Domain NC objects replicated from


the other domains in the forest
• The GC stores only a partial
set of attributes for each object

• If an attribute’s definition in the schema has


its isMemberOfPartialAttributeSet property
set TRUE, it is replicated to the GC Kimberry
_______
Associates
19

Programmatic Access
• LDAP provides programmatic access to the
directory
– Search, compare, add, modify, delete, rename
(ModifyDN), and more…
• Windows 2000 implements LDAPv3
– It will answer v2 queries
• ADSI provides COM access to the directory
– Uses LDAP as the on-the-wire protocol

Kimberry
_______
LDAP = Lightweight Directory Access Protocol Associates
20

RootDSE
• All DCs maintain a node called RootDSE
• RootDSE provides information on:
– Supported naming contexts
– The Root NC
– LDAP versions
– Supported controls
• Extends the capabilities of LDAP
– Policies and security

Kimberry
_______
RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent Associates
21

Tools for Digging Deep


• ADSI Edit and LDP are installed as part of the
support tools
– Viewing RootDSE
– Viewing domain NC objects and attributes
– Changing attribute values
– Checking security
– LDAP queries
• New .NET command line tools
– DsQuery, DsAdd, DsGet, and more…

Kimberry
_______
Associates
22

Searching the Directory


• The Find utility in the Active Directory Users
and Computers console provides a means of
searching the directory
¾ More complex search criteria can be
established by using the custom search
OR
(&(|(l=london)(l=birmingham))(co=united kingdom))

AND
Logical Locality-Name
AND identifies the City

Logical
OR
Kimberry
_______
Associates
23

Ambiguous Name Resolution

• ANR is a search algorithm that searches for


a match between the input string and any of
the attributes defined in the ANR set
– The default ANR set includes:
• GivenName, Surname, DisplayName, RDN,
sAMAccountName and more…
• If the input string consists of two words, an
additional check is made as follows:
(First word = GivenName AND Second word = Surname)
OR
(First word = Surname AND Second word = GivenName)
Kimberry
_______
Associates
24

ANR Searches

• The Find utility always makes an ANR


search when searching for users
– It can also be specified in an advanced
custom search

(&(ANR=john)(co=united kingdom))

• An attribute is a member of the ANR set


if its definition in the schema has the
ANR bit set in its searchFlags property
– The attribute must also be indexed Kimberry
_______
Associates
25

dsHeuristics

• The dsHeuristics attribute effects the


behaviour of the ANR search
– It is an attribute of Directory Services
– cn=Directory Services,cn=Windows NT,
cn=Services,cn=Configuration…

Kimberry
_______
Associates
26

Attribute Search-Flags
Copy attribute
when object is copied 16 8 4 2 1
(user account copy)

bit 4 bit 3 bit 2 bit 1 bit 0


Preserve this
attribute on logical
deletion Index over
(tombstoned) attribute

Member of ANR set Index over container


and attribute

• enabled = 1, disabled = 0
– Values can be changed programmatically
• Limited access via Schema Manager

Kimberry
_______
Associates
27

LDP to the Rescue


• Advanced LDAP queries can be created
using LDP
– Locate all attributes replicated to the GC
• isMemberOfPartialAttributeSet=TRUE
– Locate all indexed objects and ANR set
members
• Test the attribute with a matching rule
– Locate logically deleted objects
• Requires an extended LDAP control

Kimberry
_______
Associates
28

BIT Wise Operations

• Matching rules are used to test bits within an


attribute
– Attributename:ruleOID:=value
• No spaces, Value in decimal

(searchFlags:1.2.840.113556.1.4.803:=5)
Rule OID provides an AND test, evaluates true if bits 0 AND 2
are set

(searchFlags:1.2.840.113556.1.4.804:=5)
Rule OID provides an OR test, evaluates true if bits 0 OR 2
are set

Kimberry
_______
Associates
29

LDAP v3 Controls
• Controls extend the functionality of LDAP
– Server controls are sent to the server
– Client controls affect the functionality of the
LDAP API
• The controls are identified by OIDs
Example Control Types:
Show Deleted Objects: 1.2.840.113556.1.4.417
Do Not Generate Referrals: 1.2.840.113556.1.4.1339

See the SDK header file ntldap.h for all the defined controls
Kimberry
_______
Associates
30

Using Controls with LDP

Kimberry
_______
Associates
31

Operational Attributes
• Operational attributes provide a mechanism
for triggering actions on the server via LDAP
– They are not defined in the schema
– Writing to the attributes causes the server to
perform a predefined action
• Actions include (ntldap.h for details):
– Updating the Schema
– Transferring FSMO roles
– Triggering the SD Propagator Thread
Kimberry
_______
Associates
32

Operational Attributes

Updating the GC cache on .NET


Kimberry
_______
Associates
Importing and Exporting
Directory Objects
34

LDIF

• LDAP Data Interchange Format (LDIF)


– Defined in RFC 2849
• LDIF files can contain
– Data
– Data and actions to be performed
• Actions include
– Add, modify, delete

Kimberry
_______
Associates
35

LDIF examples

• Data is exported and imported using the


ldifde utility
dn: cn=belle blackpool,ou=england,dc=example,dc=com
changetype: modify
add: otherHomePhone
otherHomePhone: 362 456 789
-

dn: cn=angus aberdeen,ou=england,dc=example,dc=com


changetype: delete

Kimberry
_______
Associates
36

CSV

• Data can be exported from the directory in


Comma Separated Value (CSV) using the
csvde utility
– csvde takes the same command line switches as
ldifde
• csvde can be used to export and add
directory objects
– Cannot be used to modify or delete
– Do not use for schema changes

Kimberry
_______
Associates
Extending the User Interface
38

Display Specifiers
Specifier for current
locale selected

User shell Display


specifiers

Object
classes
Administration
tools Display
specifiers Stored in locale-specific
container in the
configuration NC
Display specifiers are
defined for each locale

• Stores UI display information for each object


– Property sheets, context menus, icons, creation
wizards, attribute names…
Kimberry
_______
Associates
39

Extending the UI

• The UI can be extended by adding property


pages, wizards or context menu items to the
appropriate Display Specifier
– This must be done for each of the supported
locales
Kimberry
_______
Kimberry
_______
Associates
Replicating the Directory
41

Replicating the Directory

GC
Partial replica of all domain
objects
Hosted on one or more DCs

• Configuration and Schema NCs common


to all domains
– Domain NC only replicated with the domain
Kimberry
_______
Associates
Adding Naming Contexts
43

Application Directory
Partitions
• Provides the ability to create new
naming contexts within the directory
– The DCs that host replicas of the NC can
be defined
– Cross-domain replication is supported
• With the exception of security principals
any type of object/attribute can be
supported

Kimberry
_______
Associates
44

Application Directory
Partitions
Create example.com
Application
Directory
Partition
Replicated

Add Replica

Application
Directory
Partition child.example.com

Kimberry
_______
Associates
45

Application Directory
Partitions and DNS

Kimberry
_______
Associates
46

Creating
Application Directory Partitions
• Application Directory Partitions can be
created programmatically or using the
ntdsutil command line utility
• Create the new NC on one DC and then
add a replica to other DCs
create nc dc=emea,dc=example,dc=com netads01.example.com

add nc replica dc=emea,dc=example,dc=com netads03.child.example.com

Kimberry
_______
Associates
The Global Catalog
48

Deployment Issues
• Adding attributes to the GC partial attribute
set causes all GCs to fully synchronize
– Equivalent to repromoting all GCs
– No interruption in service
– Bandwidth, CPU intensive
• Applications may add attributes to the GC
partial attribute set
– Exchange 2000

Kimberry
_______
Associates
49

Solution - No-GC Full Sync

• Replicate only added attributes


– Modification to replication protocol
– Works between Windows .NET DCs only
– Requires .NET forest functionality level
• Details later

Kimberry
_______
Associates
50

Logon and the GC Dependency


A user’s universal group membership
changes by:
•adding the user to a universal group
•adding a global group of which the user is a member
Membership details •nesting appropriate global and universal groups
in logon domain

Security Access Token Builtin GC


User SID Domain Local
Group SIDs Global
Membership details in GC
Universal

• During the logon process the security


access token is constructed
Kimberry
_______
Associates
51

Deployment Issues
• Logon fails if the GC is not available
– Administrators can still logon

• Logon with a failed GC presents a possible


security breach
– Incomplete security token
– Ignores access deny for universal groups

Kimberry
_______
Associates
52

Deployment Issues

• A GC at every site to avoid log on


failures when the network is down
• Increased hardware costs
• Replication overhead

Kimberry
_______
Associates
53

Universal Group
Membership Caching
DC On first logon the users
group details are cached

GC
Periodically updated
default 8 hours

NewYork London

The cached group information stored


in the user’s msDS-Cached-Membership
attribute
Kimberry
_______
Associates
54

Membership Changes
• Changes to universal and global group
membership will not be seen until after the
cache has been refreshed
– The user must also log off and on to rebuild
the security token
• No UI to refresh the cache
– Refreshed via an operational attribute
• Programmatically via ADSI and WMI
• Manually using LDP

Kimberry
_______
Associates
The Schema
56

The Schema

Attribute
Attributedefinitions:
definitions:
Unique identifier
Unique identifier
Object
Objectdefinitions:
definitions: Syntax
Syntax
Must
Mustcontain
containattributes
attributes Range
Range
May contain attributes
May contain attributes Indexed
Indexed
Possible
Possibleparents
parents Replicated
ReplicatedtotoGC
GC
More…
More… Linked
Linked
Property
Propertyset
set
More…
More…

• The Schema provides a formal definition of


all the types of objects and attributes that
can exist in a forest
Kimberry
_______
Associates
57

Objects and attributes

Object class definition Attribute definition


classSchema class attributeSchema class

z An instance of the classSchema class


defines a new object class
z An instance of the attributeSchema
class defines an attribute
ƒ The instance’s properties (attributes) define the
characteristics of the attribute and apply whenever
the attribute is added to an object
Kimberry
_______
Associates
58

Class Definitions
• Class definitions include:
– Class identifiers
• cn, ldapDisplayName, SchemaIDGUID, OID
– mustContain, systemMustContain, mayContain,
and systemMayContain attributes
• Used when an object of this class is instantiated
– Possible parents
– SuperClasses and auxiliary classes
• Every object class (except for top) is derived from
another class
Kimberry
_______
Associates
59

Class Inheritance
abstract
• An object class can be
top
derived from other
classes
subClassOf
abstract – Which may have also been
Person
derived from other classes
z Classes may be:
abstract subClassOf
¾ Structural
organizationalPerson ¾ Abstract
¾ Auxiliary
subClassOf
Structural securityPrincipal mailRecipient
SystemAuxiliaryClass auxiliary
auxiliary
user

Only structural classes can be Kimberry


_______
instantiated in the directory Associates
60

Aggregated Attributes

top person organizational- user securityPrincipal mailRecipient


Person

Aggregated:
mustContain
Aggregated: possible parents
systemMustContain
mayContain
systemMayContain

• Resultant attributes are aggregated from all


the associated classes Kimberry
_______
Associates
61

The Abstract Schema


• The Abstract Schema stores a subset of all
the information in a single object
– Provides a fast method of retrieving frequently
used information
– The Abstract Schema object is called Aggregate
• attributeTypes summary of attributes properties
• objectClasses summary of class definitions
– The Abstract Schema is loaded into memory
and is read-only

Kimberry
_______
Associates
62

Windows .NET Changes


• The Schema has been extended to support
additional objects and attributes
– inetOrgPerson as defined in RFC 2798 is now
implemented
• Auxiliary classes can be associated with an
instantiated object
• Support for dynamic objects
– Dynamic objects have a TTL after which they
are removed from the directory
Kimberry
_______
Associates
63

Attribute Properties
• The properties of an attribute define settings
which include:
– Attribute identifiers
• OID, ldapDisplayName, SchemaIDGUID
– The syntax of the data stored in an instance of
the attribute
– Singlevalued or multivalued data storage
– The allowable data range
– Attribute management
• Linked, indexed, member of ANR set, replicated to
the GC and more…
Kimberry
_______
Associates
64

Viewing Attribute Properties


• ADSIEdit or LDP allows full access to all
properties of an attribute
• Limited access to an attribute’s properties is
available through the Schema Manager
Snap-In
– The Schema Manager Snap-In requires
registering
• Automatically done when the Admin pack
(Adminpak.msi) is installed
• Run: regsvr32 schmmgmt.dll
Kimberry
_______
Associates
65

Windows 2000 Schema Manager

showInAdvancedViewOnly

isDefunct

searchFlags

isMemberOfPartialAttributeSet

Kimberry
_______
Associates
66

Linked Attributes
Forward-link Back-link
Linked attributes
Manager Direct Reports

Simon Simon Tom


Tom Peter

Paul
The Direct reports (reports) attribute is
Sally
multivalued and contains the DNs of the
Amy objects that contain forward links that
Debbie reference this object
Linked attributes are identified by their
Simon linkID properties being set to n and n+1
Peter
The forward-link is identified by an even
value of n, n+1 identifies the back-link

• Linked attributes are pairs of attributes


where the value of the back-link is derived
from the forward-link details Kimberry
_______
Associates
67

Referencing Other Objects


View presented by DSA
A DN of referenced object B

Database

Object A DN etc… Database location reference to object B


Database records
Object B DN etc…

• If attributes reference other objects, rather


than storing the DN of the reference object,
the database location of the object is stored
– This avoids the need to change multiple
attributes if the DN of the object changes
Kimberry
_______
Associates
68

Phantom Records
View presented by DSA
A DN of referenced object Z

Database

Object A DN etc… Reference to phantom record


Database
Phantom records
NoDN,
object Z Create phantom: record
GUIDforand
object
SIDZof referenced object

• A phantom record is created if an attribute


references an object in another domain; this
maintains the database reference paradigm
– The phantom is created locally on each DC that receives
a replica of object A
¾ Phantoms are not required on the GC, as a database
record for the referenced object already exists Kimberry
_______
Associates
69

Maintaining Phantoms
• The Infrastructure Master runs on one DC in
the domain and maintains phantoms that are
held in the DC’s database
– It checks phantom record data against the
corresponding GC entries
• If changes to the referenced objects are detected
these are replicated to all other DCs in the domain

z The Infrastructure Master should not be


run on the GC
¾ No phantom records to check! Kimberry
_______
Associates
70

Extending the Schema

Create new
object class
Existing
attributes
Existing
object class

Can be used with New


existing object attribute
instances Add to existing object class

• The Schema can be extended by creating


new object classes and attributes
Kimberry
_______
Associates
71

OIDs
• Object classes, attributes and syntaxes are
defined using OIDs
• The preferred method of obtaining an OID
is to obtain your own root ID
– web.ansi.org/public/services/reg_org.html
– www.iso.ch/addresse/membodies.html

• You can register a prefix and obtain an OID


from
http://msdn.microsoft.com/certification/adreg.asp

Kimberry
_______
Associates
72

Modifying Schema Objects


• Modifications to existing Schema objects are
restricted
• There are two categories of objects
– Category 1 are shipped with Windows 2000 in the
base Schema
– Category 2 are Schema objects that are subsequently
added
• Category 1 objects are identified by the 0x10 bit
being set in the systemFlags
– This value cannot be changed
– The systemFlags also define if the object can be
moved, deleted or renamed
Kimberry
_______
Associates
73

Extending the Schema


• The preferred method is to use LDIF scripts
– Alternatives are: programmatically or via the UI
• It is necessary to update the Schema cache
prior to using the extensions
– Automatic after 5 minutes
– Use the operational attribute
schemaUpdateNow

Kimberry
_______
Associates
74

Schema Protection
• Only members of the Schema Admins group
can make changes to the schema
– Make sure that the Schema administrators are
aware of their responsibilities
• A safety interlock is provided in the Registry
before changes can be made
HKLM\SYSTEM\CurrentControlSet…
\Services\NTDS\Parameters\SchemaUpdateAllowed
– Can be enabled via the Schema Manager

Kimberry
_______
Associates
75

Example LDIF Script


dn: CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=example,dc=com
changetype: add
adminDescription: ms-Exch-Schema-Version-Pt
adminDisplayName: ms-Exch-Schema-Version-Pt
attributeID: 1.2.840.113556.1.4.7000.102.97
attributeSyntax: 2.5.5.9
isMemberOfPartialAttributeSet: FALSE
isSingleValued: TRUE
lDAPDisplayName: msExchSchemaVersionPt
name: ms-Exch-Schema-Version-Pt
oMSyntax: 2
objectCategory: CN=Attribute-Schema,cn=schema,cn=configuration,dc=example,dc=com
objectClass: attributeSchema
rangeLower: 1
rangeUpper: 1
schemaIdGuid:: 1ZiBX8nnYEWxZgjcfPwXwQ==
searchFlags: 0
dn:
changetype: modify
replace: schemaUpdateNow
schemaUpdateNow: 1
-
dn: CN=ms-Exch-Schema-Version-Pt,cn=schema,cn=configuration,dc=example,dc=com
changetype: modify
replace: rangeUpper
rangeUpper: 4397
-
dn:
changetype: modify
replace: schemaUpdateNow Kimberry
_______
schemaUpdateNow:
schemaUpdateNow: 1
Associates
76

Example LDIF Script


• The example script shows the final Schema
changes when installing Exchange 2000
– The rangeUpper value of the
ms-Exch-Schema-Version-Pt attribute identifies
the schema extensions build number
• RC1 = 4197, RC2 = 4364, and RTM = 4397
• Execute the script using:
ldifde –s srv1 –i –f c:\script.ldf

Kimberry
_______
Associates
77

Deletion of Schema Objects


• In Windows 2000, once an object or
attribute has been added to the Schema it
cannot be deleted
– It can be disabled (isDefunct=TRUE)
• Windows .NET will allow Schema objects
set as defunct to have their identification
properties reused
– E.g. OID, ldapDisplayName, mapiId
– Identification properties can only be redefined
if the Forest is in .NET functional level or
higher
Kimberry
_______
Associates
78

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Securing Directory Objects
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
79

AD Architecture
LDAP/ADSI Replication NT SAM Outlook
transports calls clients

LDAP REPL SAM MAPI

Directory Service Agent (DSA)

DB Layer

Extensible Storage Engine

Kimberry
_______
Associates
80

ESE
• Originally code named JET Blue
– Completely different to the Access database
(JET Red)
– ESE97 – Exchange 5.5
– ESENT – Windows 2000 (esent.dll)
• Uses the same format and engine ulVersion (620,2)
as ESE97
– ESE98 – Exchange 2000
• Additional enhancements, including streaming file
support

Kimberry
_______
JET = Joint Engine Technology Associates
81

What’s Required?
• A fast and highly optimised way of storing
and retrieving loosely-structured and semi-
structured data
• Integrity and crash survival (ACID)
– Transactions are:
• Atomic
• Consistent
• Isolated
• Durable

Kimberry
_______
Associates
82

Transaction Logging
Update
Checkpoint

c edb.chk
Database Calculate database Commit
write request ESE changes transaction h

d
Write to
Transaction buffer
f
database g
e
Confirm database Write to ntds.dit
write log file edb.log

z The write is only confirmed once the


transaction has been written to the
log file Kimberry
_______
Associates
83

Log Files
• There is always a delay between the
transaction log being written and the
transaction being committed
– This delta is referred to as the checkpoint depth
• The current log file is always edb.log
– The older logs are identified as edb0000x.log
• x is an incrementing hex number
– The log file size is 10 MB

Kimberry
_______
Associates
84

Circular Logging
• The Active Directory uses circular logging
(no supported way of disabling)
– When all the transactions in the log file have
been committed, the file is deleted
• Non-circular logging is mainly used for
incremental backup
– The System State, which includes the directory,
must be backed up as a single entity
– Circular logging is used because other
components of the System State do not support
Kimberry
_______
incremental backup Associates
85

Recovery
• If the system crashes before all of the
transactions are committed, the lost
transactions are recovered from the log file
• ESE determines which transactions have
been committed by reading the dbTime
value in the log file
– edb.chk is only used to identify which log files
should be checked
• This speeds up the operation

Kimberry
_______
Associates
86

File Summary

ntds.dit edb.log edb0000x.log

edb.chk res1.log res2.log ntds.pat

• For maximum fault tolerance and


performance use hardware arrays
– Database RAID 5
– Log files RAID 1 or RAID 0 + 1 Kimberry
_______
Associates
87

Backing up the Directory


3. Backup the database
In 64K blocks 4. Create a new edb.log
5. Backup all logs
ntds.dit created since the
frozen Checkpoint
6. Backup the patch file
7. Delete logs prior to the
checkpoint

Check edb018.log edb019.log edb020.log edb021.log edb.log


point
1.Commit dirty 2. Freeze checkpoint
pages

Transactions that cause fundamental


Database
Transactions changes to the structure, for instance
transactions
continue B-tree page splits are written to the ntds.pat
patch file Kimberry
_______
Associates
88

ntdsutil

• ntdsutil is the primary tool for checking the


database files
– Invokes esentutl
• The system must be started in the Active
Directory Restore mode
– Soft Recovery of the Log Files
• Performed by DSA at startup if the previous shutdown
was not clean
– File Integrity check
• Low-level binary check of all data
– Semantic database analysis
• Checks, references, deleted objects, container
references, security descriptors…
Kimberry
_______
Associates
89

Other ntdsutil Options

• Repair
– Should only be used if backups are not available
• There is no guarantee that it will work
• Offline defragmentation
– Online defragmentation automatically occurs
every 12 hrs
• Recovers storage, but does not reduce the size of the
database files
• Move
– Changes the location of the database and log files

Kimberry
_______
Associates
90

Object Deletion

• On deletion
– IsDeleted set TRUE
– Marked as Tombstoned
• Default tombstone life 60 days
– Strips most attributes from object
• Key attributes retained, defined by attribute search
flag
– Moved to Deleted Objects container

Kimberry
_______
Associates
91

Garbage collection
• Deleted objects with an expired tombstone
are removed by the garbage collection
services
• Default garbage collection every 12 hours

Kimberry
_______
Associates
92

Be Careful

• Always do a full system backup before


making any changes to the database
• Backup before and after moving the
database
• Backups are only valid for the
tombstone period

Kimberry
_______
Associates
93

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Securing Directory Objects
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
94

Object Access ACEs can apply to


specific attributes
ACE
ACL
Sales
SalesManagers
Managers
Directory read
readaccess
access
Object

• Access to directory objects is controlled


via Access Control Lists (ACLs)

– Fine granularity is provided by Access Control


Entries (ACEs) that apply to specific attributes
and actions (Extended rights)
Kimberry
_______
Associates
95

UI Security Tab
%SystemRoot%\System32\dssec.dat Do NOT display object

[serviceInstance]
@=7
adminDescription=7
adminDisplayName=7
…………………
[user]
aCSPolicyName=7
adminCount=7
Displayed
allowedAttributes=7
attributes
allowedAttributesEffective=7
controlled
allowedChildClasses=7
………………… by a file
[volume]
adminDescription=7
adminDisplayName=7
allowedAttributes=7
allowedChildClassesEffective=7

Do NOT display attribute Kimberry


_______
Associates
96

Anatomy of an ACE (simplified)


Access
ACE Type Allowed Denied Audit
Inheritance Audit Access
Success Fail
Access Mask
Object Type Applies to
Object Attribute Extended right
Inherited Object Type
Identifies security principal to
Trustee(SID) which the ACE applies

Specifies type of access


Delete
Read/Write object security
Generic Read/Write – access to object and all attributes
Create/Delete child
Read/Write property
Extended write operation
Kimberry
_______
Associates
97

Extended Rights
• Only a limited number of operations can be
defined through the access mask
– Extended rights are used to define special
operations and property sets
• Special operations include resetting passwords,
managing replication and changing FSMO roles
• Extended rights are identified by
ControlAccessRight objects created in
cn=extended-rights,cn=configuration…

Kimberry
_______
Associates
98

Extended Rights (continued)


cn=personal-information

appliesTo user

ACL
RightsGUID

Added to attributeSecurityGUID for


all members of the property set

• The objects to which extended rights apply


are defined in the appliesTo attribute
z Access to an extended right is controlled
by adding the rightsGUID attribute value
to the object’s ACL
¾ The rightsGUID also identifies the attributes
that are members of a property set Kimberry
_______
Associates
99

Property Sets
• Property Sets (Attribute Sets) allow
attributes to be grouped
– Read/Write access to the set is controlled using
a single ACE
• The set is identified by a GUID
– All members of the same set have the same
GUID in their attributeSecurityGUID property
• An example of a property set is a user’s
personal details: address, phone, etc
– GUID: 86b8b5774a94d1… Kimberry
_______
Associates
100

Detective Work

• We want to confirm that the user


“Notes” property is a member of the
Personal Information property set

Kimberry
_______
Associates
101

Solving the Problem

Check locale Lookup rightsGUID for


HKCU\ControlPanel\International Personal-Information
ControlAccessRight object in
the Extended-Rights container
Map UI display name to ldapDisplayName
Use display specifiers

Map LdapDisplayName to attributeSchema object


Use LDP or Schema Manager

Do GUIDs
Lookup attributeSecurityGUID Match?

Kimberry
_______
Associates
102

ACEs
DENY Allow Allow Allow
SID1 SID3 SID1 SID3
W RX RX W

• Each ACE grants or denies permissions for


an individual security principal
• The ACL is only checked until the
requested access has been granted or
denied

Kimberry
_______
Associates
103

Canonical Ordering
ALLOW
DENY ALLOW
DENY ALLOW
administrators
NETWORK administrators
NETWORK Users
Full
RD Full
RD RD

• Canonical order of ACEs has always been


encouraged
– All access denies are placed in advance of
access allows
• Non-canonical ordering is now considered
valid in certain circumstances
– Hidden distribution lists in Exchange 2000
Kimberry
_______
Associates
104

Viewing Non-Canonical ACLs

Active Directory Users and Computers

Active Directory Users and Computers after installing Exchange 2000

• Exchange 2000 replaces the


IsecurityInformation interface
Kimberry
_______
Associates
105

Object ACLs
ACL applies to OU

ACL
OU
ACL
Inheritable ACL

ACL
Directory
Object ACL Explicit ACL

• Objects can inherit ACLs as well as having


them explicitly set
Kimberry
_______
Associates
106

ACE Ordering
DENY Allow Allow Allow
SID20 SID3 SID1 SID3
Explicit W R R W

DENY DENY Allow Allow


SID15 SID1 SID11 SID31
Inherited RWX RWD R W

• An object’s explicit ACEs are checked in


advance of inherited ACEs
– This can result in non-canonical order in the
concatenated ACLs

Kimberry
_______
Associates
107

Inheritance Propagation

ACL

ACL ACL
ou ou ou ou

ACL
ou ou ACL ou ou ACL

ACL ou ou ACL ACL ou ou ACL

• Inheritable ACLs can be propagated


throughout the domain or a subtree of OUs
Kimberry
_______
Associates
108

Controlling Inheritance

ACL ACL
ou ou ou ou

ACL ACL ACL


ou ou ou ou

ou ou ou ou

Inheritance restricted Protected child object


to one level

Kimberry
_______
Associates
109

ACE Inheritance
ACE Type
Inheritance Audit
Access Mask
Object Type Applies to
Object Attribute Extended right
Inherited Object Type
Object type that will inherit this ACE
Trustee(SID) All objects OR object specified by GUID

Inheritance FLAGS
Inherit this ACE
Only propagate one level
Inherit only – ACE does not apply to this object
This ACE was inherited

The SE_DACL_PROTECTED flag in the object’s security descriptor control


prevents the object from inheriting ACEs from it’s parents

Kimberry
_______
Associates
110

dsacls
C:\>dsacls
C:\>dsaclscn=jill,dc=child,dc=example,dc=com
cn=jill,dc=child,dc=example,dc=com
Access list:
Access list:
Effective
EffectivePermissions
Permissionson onthis
thisobject
objectare:
are:
Allow CHILD\Domain Admins
Allow CHILD\Domain Admins FULL
FULLCONTROL
CONTROL
Allow NT AUTHORITY\SYSTEM
Allow NT AUTHORITY\SYSTEM FULL CONTROL
FULL CONTROL
Allow
Allow BUILTIN\Account Operators FULLCONTROL
BUILTIN\Account Operators FULL CONTROL
Allow NT AUTHORITY\SELF
Allow NT AUTHORITY\SELF SPECIAL
SPECIALACCESS
ACCESSfor
forPersonal
PersonalInformation
Information
WRITE PROPERTY
WRITE PROPERTY
READ
READPROPERTY
PROPERTY
Allow NT AUTHORITY\SELF
Allow NT AUTHORITY\SELF SPECIAL
SPECIALACCESS
ACCESSfor
forPhone
Phoneand
andMail
MailOptions
Options
WRITE PROPERTY
WRITE PROPERTY
READ
READPROPERTY
PROPERTY
Allow NT AUTHORITY\SELF
Allow NT AUTHORITY\SELF SPECIAL
SPECIALACCESS
ACCESSfor
forWeb
WebInformation
Information
WRITE PROPERTY
WRITE PROPERTY
READ
READPROPERTY
PROPERTY
Allow NT AUTHORITY\Authenticated
Allow NT AUTHORITY\Authenticated Users Users
SPECIAL
SPECIALACCESS
ACCESSfor
forPersonal
PersonalInformation
Information
READ PROPERTY
READ PROPERTY

• Available via the Support Tools


Kimberry
_______
Associates
111

Initial Object ACL

OU ACL
Inheritable ACL

ACL
Directory
Object ACL Explicit ACL from
the schema

• Set programmatically during creation


• Inherit ACL from parent and combine with
explicit Schema default ACL for the
particular object type
Kimberry
_______ Kimberry
_______
Associates
112

Controlling Object Visibility


ACL Read volume objects:
Sales sales domain users
Remove explicit Read data corporate managers
for Authenticated Users
X X X

• For many of the objects, the default ACL


from the schema provide Read for the
Authenticated Users
– To control the visibility, this ACE must be
removed
Kimberry
_______
Associates
113

Modifying the Default Explicit


Permissions
• The the default permissions stored in the
Schema could be modified
– Location: defaultSecurityDescriptor attribute
– Stored as an SDDL Unicode string
• The permissions from the schema can be
reapplied using dsacls …… /S /T
• Check if schema defaults apply to an object
with acldiag …… /schema

SDDL = Security Descriptor Definition Language


Kimberry
_______
Associates
114

List Object Mode


List contents allows
users to see the
G1: list contents existence of G1: list object
contained objects
even if access is
denied to some of
G1: access G1: access
those objects
allowed allowed

G1: access
denied

• The List Object mode allows the


contained objects to be hidden
– Caveat: additional CPU cycles required for
access checking
Kimberry
_______
Associates
115

Selecting List Object Mode

• Set the third dsHeuristic flag to 1


– If the dsHeuristic attribute is not already
set, set it to 001 to enable object mode
– If the attribute already contains a value
modify it appropriately
• Remember the first two flags control the ANR
search algorithm

Kimberry
_______
Associates
116

AdminSDHolder
If different, replace and
disable inheritance
Template
ACL
ACL
ACL

Member of administrators group cn=AdminSDHolder,cn=system,dc=domain,dc…

• The ACL on user accounts that are domain


administrators are automatically set and
refreshed to enhance security
– The propagator thread runs every hour on the
PDC FSMO
Kimberry
_______
Associates
117

Default Template
• The default ACL template on
AdminSDHolder cannot be fully edited
through the UI
– For example, there is no Change Password
ACE for a container
• Change the template with dsacls

dsacls cn=adminsdholder,cn=system,dc=….
/G “Everyone:CA;Change Password”

Kimberry
_______
Associates
118

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Securing Directory Objects
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
119

Problem
• The European division is a child domain of
corporate HQ in the US
– The European Domain Administrators need to
authorize their own DHCP servers
• Authorization fails
• HQ is not prepared to elevate the European
domain admins to Enterprise admins
• How do you solve the dilemma?

Kimberry
_______
Associates
120

Solution
Enable auditing on the directory

Attempt to authorize the DHCP server

View the failed access in the security log

Adjust the security on the directory objects

Iterate until the problem is solved

Smile
Kimberry
_______
Associates
121

Solution
cn=NetServices,cn=Services,cn=Configuration,dc=example,dc=com

Enable creation of
ACL
dHCPClass objects

Enable updating
ACL of the DhcpRoot
cn=DhcpRoot
2. Update root
X

dHCPClass cn=netads01.example.com
objects

1. Create child object

X cn=netads03.child.example.com

Kimberry
_______
Associates
122

Delegation of Control Wizard

• The tasks presented in the delegation of


control wizard are controlled through the
template file
%SystemRoot%\inf\delegwiz.inf
• The options displayed in the custom
tasks are controlled via dssec.dat

Kimberry
_______
Associates
123

delegwiz.inf Does not specify the


domain. Domain LDAP
[Version] name domainDNS
signature="$CHICAGO$"
Classes template
applies to [DelegationTemplates]

Templates = template1, template3, template4, template5

;------------------------------------------------------
[template1]
AppliesToClasses=domainDns,organizationalUnit,container

Create & delete Description = "Create, delete, and manage user


user objects accounts"

@ specifies class ObjectTypes = SCOPE, user


defined on the Applies to
ObjectTypes line
[template1.SCOPE] Applies to this object user objects
user=CC,DC and all objects
GA Generic All
[template1.user]
(full control)
@=GA
;------------------------------------------ Kimberry
_______
Associates
124

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Object Security
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
125

Creating Domains

• dcpromo creates a new DC


– Initial database from
…\system32\ntds.dit
– Default objects in DIT from
…\system32\schema.ini
• Three log files track the promotion
process
– Located in %SystemRoot%\Debug

Kimberry
_______
Associates
126

Log Files
• dcpromoui.log
– Logs user interaction with the wizard and the
promotion process
– Increase logging levels via the Registry value
dcpromoui
– HKLM\Software\Microsoft\Windows\
CurrentVersion\AdminDebug
• dcpromo.log
– Logs promotion process
• dcpromos.log
– Logs domain upgrades

Kimberry
_______
Associates
127

Promotion Failure

• If the promotion stops


– Don’t automatically cancel the wizard
– Troubleshoot and you may be able to
complete the promotion
– Check the logs if the message from the AD
Installation Wizard is unclear

Kimberry
_______
Associates
128

Interpreting Error/Results
Codes
• Interpret decimal codes via
– net helpmsg xxx
– SDK files winerror.h or lmerr.h
• If the error does not appear in winerror.h try
subtracting 2100 and looking it up in lmerr.h
• Error codes in the format 8007xxxx
– Require the 8007 to be dropped and xxxx
converted from hex to decimal

Kimberry
_______
Associates
129

Updating the Display


Specifiers
• During the promotion process for the first
domain in a new forest, dchelp.exe is
added to the RunOnce key
– Executes at first logon
• dchelp.exe uses csvde to import over
1000 display specifier settings into the AD
– Data files dcpromo.csv , 409.csv
• (409.csv .NET only)
– Check for successful completion in
dcpromohelp.log

Kimberry
_______
Associates
130

Rock-Solid DNS is Vital

• DNS is pivotal to the integrity of the


Active Directory
– Incorrect DNS configuration can result in
poor system response and failures
• Use nslookup to check DNS lookups
and registrations

Kimberry
_______
Associates
131

DNS Health Check

Kimberry
_______
Associates
132

More Details Required?


15:42:16 674 PACKET UDP Snd 10.20.50.2
UDP response info at 00783F3C
Socket = 292
Remote addr 10.20.50.2, port 1036
Time Query=17256, Queued=0, Expire=0
Buf length = 0x0500 (1280)
Msg length = 0x007c (124)
Message:
XID 0x00ba
Flags 0x8583
QR 1 (RESPONSE)
OPCODE 0 (QUERY)
AA 1
TC 0
RD 1
RA 1
Z 0
RCODE 3 (NXDOMAIN)

• Debug logging

Kimberry
_______
Associates
133

Replication During Installation


Use dcpromo to
DC promote server to DC

AD replication
via network

z Potential show stopper for branch


offices with slow/intermittent links
¾ Workaround – replicate locally and ship
hardware
z Hinders fast deployment of multiple DCs
across the same LAN
Kimberry
_______
Associates
134

Solution - Install From Media


Windows Backup
backup system state

DC
Target
server

dcpromo /adv

Restore to an
alternative location Store to media:
•DVD
•CDROM
•Tape
•File System

Kimberry
_______
Associates
135

Promotion
Original DC Target server

• Still requires network connectivity for


– Location of appropriate DC via DNS
– Creation/Replication of meta data
– Replication of SYSVOL data
– Replicating changes since backup image was taken

Kimberry
_______
Associates
136

Retiring DCs and Domains

• dcpromo is used to gracefully retire


domain controllers and domains
• If a dc or domain is lost, their meta data
must be removed from the forest
• If a DC becomes orphaned dcpromo
cannot be used to convert the DC back
to a member server

Kimberry
_______
Associates
137

Metadata Cleanup

• ntdsutil can be used to clean the


metadata from the forest
– Before using check that all domain controllers are
fully replicated
• Use the metadata cleanup operation to
delete:
– references to servers
– references to domains
• See Q230306, Q216498

Kimberry
_______
Associates
138

Retiring an Orphaned DC

• Instead of reinstalling you can try the


following:
– Reboot into Directory Services Restore mode
– Edit the registry key
\HKLM\SYSTEM\CCS\Control\Product Options
– Change ProductType from LanmanNT to ServerNT
– Delete the AD database and log files
– Restart and the computer will be a member server
– To complete the cleanup promote the server into a
new domain and then demote again

Kimberry
_______
Associates
139

Deleting the NTDS Settings


Object on Windows .NET

Kimberry
_______
Associates
140

Functionality Levels
• Initial compatibility with current systems is
always important
– Some new features may not be compatible
with older systems
• Windows 2000 Native mode only enabled after all
the Windows NT 4 BDCs have been retired
• Mixed/Native mode was not designed to be
extensible
– Functionality levels are future proof

Kimberry
_______
Associates
141

Identifying the
Functionality Level
• A new attribute msDC-Behavior-Version
holds the functionality level
– This attribute is used with three objects
• NTDS Settings
– Shows the functionality level of the DC
• Domain Object (domainDNS)
– Show the current domain functionality level
• Partitions Container
– Shows the current forest functionality level
– If the attribute is missing then the version is
taken as 0 (Windows 2000) Kimberry
_______
Associates
142

.NET Domain Functionality

• Only supports .NET DC Interoperability


• Added functionality
– Domain controller rename
– Update logon timestamp
– Kerberos KDC key version numbers
– User password on InetOrgPerson

Kimberry
_______
Associates
143

.NET Forest Functionality


• Only supports .NET domain controllers
• GC replication • Renaming domains
tuning • Improved replication
• Defunct Schema algorithms
objects • Dynamic auxiliary
• Transitive inter classes
forest trusts • InetOrgPerson
• Linked value object class change
replication
Kimberry
_______
Associates
144

.NET Interim Forest

• .NET Interim is supported for upgrades


from Windows NT
– Improved replication algorithms for ISTG
– Linked value replication
• Not supported on Windows 2000
domain controllers

Kimberry
_______
Associates
145

Seminar Topics

• Introduction
• Anatomy of an Object
• Data Storage
• Object Security
• Advanced Delegation of Administration
• Creating the Active Directory
• Replication

Kimberry
_______
Associates
146

Replication Model
• Replication is at attribute level
– The replication model is described as
multimaster, loose consistency with
convergence
• Multimaster
¾ Changes can be made at any DC

• Loose consistency
¾ There is a latency between changes being made and their
availability throughout the enterprise
• Convergence
¾ Eventually the changes will propagate to all DCs and
conflicts will have to be detected and resolved
Kimberry
_______
Associates
147

Identifying Changes
USN 1327 SRV1 SRV2
Send me your changes
USN 1326 High-watermark
I have all changes up to USN 1324
USN 1325
Before:1324
USN 1324 After: 1327
USN 1323
USN 1322
USN 1321

• An Update Sequence Number (USN)


tracks changes to attributes
– Each replication partner maintains high-
watermark vectors which identify the
highest USN that they have received from
each partner
Kimberry
_______
Associates
148

Propagation Dampening
SRV1 Send me your changes SRV2
Originating I have all changes up to USN 2232
database & USN Send I have all the changes from SRV 3 up
USN 2237 SRV1 USN 2237 9 to USN 5430
USN 2236 SRV3 USN 5432 9
USN 2235 SRV1 USN 2235 9
USN 2234 SRV3 USN 5430 8
USN 2233 SRV1 USN 2233 9
USN 2232 SRV1 USN 2232
USN 2231 SRV1 USN 2231

SRV3

• Attributes change due to originating writes or


received replicas
– Both types of change increment the USN
– Propagation dampening stops replicating the
same information from two different sources Kimberry
_______
Associates
149

More details

• The up-to-date vectors control


propagation dampening
– The originating database is identified by
the DSA GIUD
• This is the invocationId property of the
NTDS settings object
• Every time an attribute changes its
version number is incremented by one

Kimberry
_______
Associates
150

Observing Metadata
C:\>repadmin
C:\>repadmin /showmeta
/showmeta cn=g1,dc=child,dc=example,dc=com
cn=g1,dc=child,dc=example,dc=com

Loc.USN
Loc.USN originating
originating DSA
DSA Org.USN
Org.USN Org.Time/Date
Org.Time/Date Ver
Ver Attribute
Attribute
======= =============== ======= ============= === =========
======= =============== ======= ============= === =========
9845
9845 London\Srv1
London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 objectClass
objectClass
9845 London\Srv1
9845 London\Srv1 9845 2002-09-07 15:34.02 1
9845 2002-09-07 15:34.02 1 cn cn
9847
9847 London\Srv1
London\Srv1 9847
9847 2002-09-07
2002-09-07 15:34.02
15:34.02 11 description
description
9863
9863 London\Srv1
London\Srv1 9863
9863 2002-09-07
2002-09-07 15:41.53
15:41.53 22 member
member
9845 London\Srv1
9845 London\Srv1 9845 2002-09-07 15:34.02 1 instanceType
9845 2002-09-07 15:34.02 1 instanceType
9845 London\Srv1
9845 London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 whenCreated
whenCreated
9845 London\Srv1
9845 London\Srv1 9845 2002-09-07 15:34.02 1 nTSecurityDescriptor
9845 2002-09-07 15:34.02 1 nTSecurityDescriptor
9845 London\Srv1
9845 London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 name
name
9845
9845 London\Srv1
London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 objectSid
objectSid
9845 London\Srv1
9845 London\Srv1 9845 2002-09-07 15:34.02 1 sAMAccountName
9845 2002-09-07 15:34.02 1 sAMAccountName
9845 London\Srv1
9845 London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 sAMAccountType
sAMAccountType
9845 London\Srv1
9845 London\Srv1 9845 2002-09-07 15:34.02 1 groupType
9845 2002-09-07 15:34.02 1 groupType
9845 London\Srv1
9845 London\Srv1 9845
9845 2002-09-07
2002-09-07 15:34.02
15:34.02 11 objectCategory
objectCategory

Kimberry
_______
Associates
151

Authoritative Restores

• The system is booted into AD Restore


mode and the system state restored
from backup
– ntdsutil is used to mark a branch of
domain or configuration NCs as
authoritative
• This bumps the version numbers of all the
attributes by 100,000 for each day since the
original backup

Kimberry
_______
Associates
152

Authoritative Restore Issues

• Reinstatement of old passwords may effect


trusts and computer accounts
• Possible loss of group membership
information
– If restored group replicates before restored group
members the receiving DC will delete the missing
members from the group
• After replication has completed, create create a dummy
user in the affected groups to replicate the correct
membership

Kimberry
_______
Associates
153

SYSVOL Replication

• Multimaster replication of files and


folders
• Uses intersite schedules
• Replicates file and folder attributes
including ACLs.

Kimberry
_______
Associates
154

Resolving Conflicts
Unique stamp

version Originating time Originating DSA GUID


Replicated attribute
If replica version number higher
accept change
else if originating time later Normally last writer wins,
accept change but this is not always true

else tie-break on Originating DSA GUID

• It is possible for the same attribute to be


simultaneously updated at multiple locations
– The DC checks that the replica is “newer” than
the current version it holds before accepting the
change
Kimberry
_______
Associates
155

Other Issues
• An add or move operation to a container is
performed on one DC as the container is
deleted on another
– The object is placed in the LostAndFound
container
• Adding or moving objects on different DCs
results in the objects having the same DNs
– The RDN of the “newer” object is retained
– The RDN of the other object becomes:
RDN*CNF:<object GUID> Kimberry
_______
Associates
156

Multivalued Attributes
Sally John
Members Members
Rod Chloe
G1 G1
Jane Pete
SRV1 SRV2

On Replication newer attribute wins

• Multivalued attributes are replicated as a


single entity
– If the same group is simultaneously
updated, after replication only one set of
users will be retained
Kimberry
_______
Associates
157

Solution: Linked Value


Replication
• Store replication metadata per-value
for multivalued linked value attributes
– Replicate individual changes instead of
whole membership
– Eliminates 5000 direct-member limit
• Storage and protocol incompatible with
Windows 2000 - only works with
Windows .NET
• Requires Windows .NET Forest Mode

Kimberry
_______
Associates
158

And There is More…

• If you’ve enjoyed this seminar


– Tell your friends, ask your local Microsoft
subsidiary when we will be in your area
next!
– We will be presenting it as a pre-
conference session at MEC and IT Forum
• Hope to see you at Microsoft MEC
and/or Microsoft IT Forum

Kimberry
_______
Associates
159

Microsoft IT Forum
19-23 November, Copenhagen, Denmark

Get CONNECTED at Europe’s Premier


Conference for technology professionals.

....connect
• Save €300 if you take advantage of the early bird
special by registering on or before 21 October 2002.
• http://www.microsoft.com/europe/itforum/

• Hear from Microsoft executives and technical experts


• Choose from over 140 technical breakout sessions
• Attend extensive hands-on training labs
• Explore the hottest new tools and technologies

• Take advantage of the company or individual TechEd


Attendee Discount. Kimberry
_______
http://www.microsoft.com/europe/itforum/special.asp Associates
160

i ng
co m
fo r
y ou
n k
T ha

Kimberry
_______
Associates