Advanced Directory Concepts and Services Notes
Platformen
Advanced directory concepten en services 1
3 PLF werkomgeving
Setting up the 3 PLF working environment for the rest of the semester is relatively labor-intensive but provides good practice. With 16 GB RAM, you should be able to actively use either the Windows or Linux part. With 32 GB RAM, you can use both simultaneously.
Functional Levels
Windows Server 2016 has its own domain and functional levels.
When installing a new AD, these are automatically chosen.
When using AD in an existing domain, you must choose both.
Domain and forest functional levels can only be upgraded to 2016 if all DCs are 2016!
Voordelen van 2016
Domain: keys for NTLM and Kerberos-client ID.
Forest: PAM with Microsoft Identity Manager (MIM).
Outlining AD DS Components
AD DS is a ‘highly configurable’ and ‘secure’ database.
X.500: AD is derived from x.500: Directory information Tree (DIT).
Example: servername.subdomain.domain.tld (Store).
AD is not compatible with x.500, partly due to TCP/IP in AD.
AD DS schema:
Schema: A set of definitions for all AD objects and attributes in AD.
It is secured with discretionary access control lists (DACLs).
Extending the Schema:
AD is customizable, e.g., with Exchange.
Altering the Schema can lead to problems!
Performing schema modification
ADSI-edit; functions include view, delete, and modify schema objects and/or attributes.
Outlining AD DS Components (2)
Lightweight Directory Access Protocol (LDAP):
RFC2251.
AD is compliant with the Internet standard of LDAP.
Used for searching and modifying the database.
Each object in AD has an ‘absolute’ path:
Distinguished names: “cn=Henk Jansen, OU=inkoop, dc=school, dc=test”
Cn = common name, OU = organisational unit, dc = domain component.
DC = DNS.
Relative distinguished names: “OU=inkoop, dc=school, dc=test”
Outlining AD DS Components (3)
Global Catalog & Global Catalog Servers:
Index of AD, including first and last names of users.
Preferably at least one GC per physical location.
ROGC/GC for slow WAN links.
Exchange requires a fast connection with GC. Exchange cannot use RODC/ROGC!
Multiple GCs for:
Load balancing.
Redundancy.
Fast searching.
Detailing Multimaster Replication in AD DS
Basis | Site | |
|---|---|---|
Intrasite replicatie | Intersite replicatie | |
Direct & geen compressie | 180 minuten & wel compressie | |
145.89.1.0/16 172.16.0.0/16 135.15.1.0/16 | ||
SiteLinks | SiteLink Bridges | |
BridgeHead Server | BridgeHead Server | |
Intersite Topology Generator (ISTG) | Knowledge Consistency Checker (KCC) | |
GC & Sysvol |
AD replication:
All additions.
Deletions.
Modifications in AD.
DCs within a site; (max)3 hops > KCC makes direct link.
KCC is responsible for:
Creating and managing the replication topology.
Checking AD every 15 minutes for create/delete objects.
Two Types:
Within a site: Intrasite Replication.
Outside a site: Intersite Replication
No notifications; schedule; Compressed.
Sites en Replicatie
Notify Request/Polling Or Propagation damping
AD is Multimaster:
To prevent ‘problems’, there are Operation Master roles (OM); were formerly called FSMO roles until 2016.
Defining the Operations Master Roles
Schema master: one writable schema master in AD forest.
Domain naming master: to add new domains, the server must also be GC. One per forest.
PDC emulator: Legacy NT PDC, also a timeserver. 1 per domain.
RID master: distributes SID pool(s). Without RID master, no accounts can be created. 1 per domain.
Infrastructure master: list of objects not in the own domain.
Transfer OM roles
Ntdsutil, Powershell, AD Users & computers, AD sites & services, …
Detailing Multimaster Replication in AD DS (3)
Transitive trusts
Transitive trust: automatic path in domain tree.
Two-way transitive trust: for subdomains. Does not apply to access to everything; permissions still play a role.
Explicit trust.