Sie sind auf Seite 1von 5

What is an Active Directory and How Does It Work

An active directory is a service that is provided by Microsoft that stores information about items
on a network so the information can be easily made available to specific users through a logon
process and network administrators. By using an Active Directory it is possible to view an entire
series of network objects from a single point and obtain an overall hierarchal view of the network.
If you are a computer administrator for a large corporation or organization, you can easily update
all end users computers with new software, patches and files simply by updating one object in a
forest or tree.
Because each object fits into a set schema and has specific attributes, a network administrator
can easily clear a person on a set tree or instantly give or deny access to select users for certain
applications. The Microsoft servers use trust to determine whether or not access should be
allowed. Two types of trusts that Microsoft active directories incorporate are transitive trusts and
one way non transitive trusts. A transitive trust is when there is a trust that goes further than two
domains in a set tree, meaning two entities are able to access each other's domains and trees.
A one way transitive trust is when a user is allowed access to another tree or domain; however,
the other domain does not allow access to the further domains. This can be summed up as a
network administrator and end user. The network administrator can access most trees in the
forest including a specific end user's domain. However, the end user, while able to access his or
her own domain, cannot access other trees.
It is important to note that active directories are a great way to organize a large organization or
corporation's computers' data and network. Without an active directory, most end users would
have computers that would need to be updated individually and would not have access to a larger
network where data can be processed and reports can be created. While active directories can
be technical to a good extent and require considerable expertise to navigate, they are essential to
storing information and data on networks.

Difference Between Authentication and Authorization

Authentication :-
The Web server containing the sales reports asks her workstation, “Who’s
asking for this data?” The workstation replies, “Ivana.” The server then says,
“Prove it.” So the workstation pops up a dialog box on Ivana’s screen asking for
her username and password. She types in her name and password, and
assuming that she types them correctly, the server then checks that name and
password against a list of known users and passwords and finds that she is
indeed Ivana.

Authorization :-
The mere fact that she has proven that she’s Ivana may not be sufficient
reason for the Web server to give her access to the sales pages. The Web server
then looks at another list sometimes known as the access control list, a list of
people and access levels—“Joe can look at this page but can’t change it,” “Sue
can look at this page and can change it,” “Larry can’t look at this page at all.”
Presuming Ivana’s on the “can look” list, the server sends the requested pages to
her browser.
How to get last login time for Active Directory users

Copy the below code and save it as .vbs extension on desktop. You should change the
second line, need to type your domain name

On Error Resume Next

sEnterDCs = "your domain name"
sObjects = Split(sEnterDCs, ",")
Set oDomain = GetObject("WinNT://" & sObjects(0))
oDomain.Filter = Array("User")
WScript.Echo "Showing last login times of accounts from: " & oDomain.Name &
For Each oDomainItem In oDomain
sUsrLogin = oDomainItem.LastLogin
If UBound(sObjects) >= 1 Then
For ii = 1 To UBound(sObjects)
Set oUsr = GetObject("WinNT://" & sObjects(ii) & "/" & oDomainItem.Name & ",user")
If oUsr.LastLogin > sUsrLogin Then sUsrLogin = oUsr.LastLogin
End If
WScript.Echo "Username: " & Left(oDomainItem.Name & Space(22),22) & "Last login:
" & FormatDateTime(sUsrLogin)

Final Step :-

Now your script file in desktop with the extension of .vbs . Then go to the
command prompt

C:\Documents and settings\userprofile\Desktop\>cscript savedscript.vbs > log.xls

View users connected or logged on to terminal server

If, sometimes we may need to know how many users are logged on to a
server, like may be when there is performance degradation.

For how many users details :-


For user details:-


Active Directory Database and Log Files

Extensible Storage Engine (ESE) is the active directory database, which manage all the active
directory objects in active directory database. Any of the data modification affects database
performance, database fragmentation and data integrity

The ESE uses transaction and log files to ensure the integrity of the active directory database.
Active Directory includes the following files:
∗ Ntds.dit is the Active Directory database which stores the entire active directory objects on the
domain controller. The .dit extension refers to the directory information tree. The default location
is the %systemroot%Ntds folder. Active Directory records each and every transaction log files
that are associated with the Ntds.dit file

∗ Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file
is full, active directory renames it to Edbnnnnn.log, where nnnnn is an increasing number starts
from 1.

* Edb.chk is a checkpoint file which is use by database engine to track the data which is not yet
written to
the active directory database file. The checkpoint file act as a pointer that maintains the status
memory and database file on disk. It indicates the starting point in the log file from which the
must be recovered if a failure occurs.
* Res1.log and Res2.log: These are reserved transaction log files. The amount of disk space
that is reserved
on a drive or folder for this log is 20 MB. This reserved disk space provides a sufficient space
to shut down if
all the other disk space is being used.

How to get MAC Address remotely

To find MAC address remotely is very easy. The ARP command is used to get MAC
address local as well as remote PC.
nbtstat -a remote-ip-address

How to get MAC Address remotely

To find MAC address remotely is very easy. The ARP command is used to get MAC
address local as well as remote PC.
nbtstat -a remote-ip-address
What is Active Directory replication ?

Active Directory replication is like pull rather than push; it means that replicates
pull changes from the server where the changes are affected. The Knowledge
Consistency Checker (KCC) creates a replication topology of site links using
the defined sites to manage traffic. Intrasite replication is frequent and automatic
as a result of change notification, which triggers peers to begin a pull replication
cycle. Intersite replication intervals are typically less frequent and does not use
change notification by default, although this is configurable and can be made
identical to intrasite replication.
Each link can have a 'cost' and the site link topology will be altered accordingly
by the KCC. Replication may occur transitively through several site links on
same-protocol site link bridges, if the cost is low, although KCC automatically
costs a direct site-to-site link lower than transitive connections. Site-to-site
replication can be configured to occur between bridgehead servers in each site,
which then replicates the changes to other DCs within the site.
Replication of Active Directory uses Remote Procedure Calls (RPC) over IP
(RPC/IP). Between Sites you can use SMTP for replication, but only for changes
in the Schema, Configuration, or Partial Attribute Set (Global Catalog) NCs.
SMTP cannot be used for replicating the default Domain partition..

List all member of a group in AD

Simple VB script to display members of a group.

Copy the below code and edit as ur requirement and save it as extension .vbs

On Error Resume Next

Set objGroup = GetObject _


arrMemberOf = objGroup.GetEx("member")

WScript.Echo "Members:"
For Each strMember in arrMemberOf
WScript.echo strMember