IT and security stuff

The Active Directory culture(WIP)

neoh

This is a little reminder for myself. As I am not a theory type guy, I love taking notes. The purpose of this post is to mechanically write down these terms so it will stay in my memory(hopefully).

Domains and Child Domains

  • The first created domain of an AD forest is the Root Domain
  • The Root Domain can have it’s own domains called Child Domains
  • The group containing Root Domain and Child Domains is called a tree
  • When a Child Domain is created, a two-way trust is automatically created by AD. We call it a Parent-Child trust

Tree Domains

  • Tree domains are domains using a different name than the Root Domain but is part of the same forest
  • During the creation of a Tree Domain, a trust is automatically created with the Root Domain(tree-root trust)

Active Directory Forest

  • A forest is a collection of domains(AD or others)
  • A forest’s name is the same as the root domain’s DNS
  • The forest is the security frontier. It contains the whole AD infrastructure.

Trust Relationships

  • A Trust is a trust relationship between to domains or two AD forests
  • If we want 2 forests to give each other permissions, we need to create a manual trust
  • Trusts can be unidirectional or bidirectional

Active Directory Sites

  • An AD site is another physical instance of a same AD domain
  • If we create a new domain inside a new forest, we have a default AD site, Default-First-Site-Name
  • The creation of sites allows the replication between branches

AD Replication

Replication

  • AD works under the principle of “multi-master replication” which allows any modification made on a DC(except RODC) will be replicated to every other DC
  • By modification I mean adding, modifying, deleting AD objects such as user accounts, groups or computers
  • Every members of a replication group can answer a client’s requests
  • The replication cannot go over the limits of an AD forest

Inter-site replication

In a situation where the domain is spread across several sites and that each site has more than one DC, a “bridgehead server” will automatically selected by each sites. This server will be used to relay the replication on the Site level.

Useful commands

repadmin /replsummary - replication summary
repadmin /showrepl - show the status of the DC replication
repadmin /syncall /AdeP - force replication to all DCs

AD Partitionning

AD is divided into 4 partitions which are stored inside the AD database(C:\Windows\NTDS\ by default)

  • Schema Partition
  • Configuration Partition
  • Domain Partition
  • Applications Partition

AD Schema

  • The AD schema defines every objects that can be created into the directory and their attributes such as; usernames, name, surname, password, manager, etc.
  • The schema is applied to the whole AD Forest
  • Each time we create a new object in AD, the directory consults the schema to give a class group.
  • The AD Schema will rarely change. Changes are irreversible

FSMO Roles

More on that here

Global Catalog

  • The first created DC in a forest is “Global Catalog Server” by default
  • The GC included an index which gathers all the basic information on the other domains in a forest
  • The GC gathers information on objects in each domains of a multi-domains forest. It also manages the requests on the objects level by supplying necessary data for login
  • During a user authentication the GC server is requested to verify every universal groups that the user is in. The more universal groups, slower the replication is
  • At least 2 GC servers are recommended for redundancy

GC options

  • To add or remove the GC option we need to go to Users and Computer management in AD
  • Inside the OU/Domain Controllers(right click)
  • NTDS settings

Creating new domains

  • We create new domains in an existing forest by promoting a DC
  • Two types of domains : Child Domain and Tree Domains

More on trusts

  • A trust is useful to give resources permission between domains or between AD forests
  • Thanks to trusts, a user or a group can access resources hosted on other domains(ex: shared folder)

Bidirectional vs Unidirectional

  • Bidirectional : The trusts is in the two ways, Both domains trust each other. Both can access both’s resources
  • Unidirecitonal : single way. A domain trusts another domain but the inverse.
Unidirectional trust

Transivity

  • The transivity is what allows several domains to trust each other without a direct trust
  • Transivity is at the domain level and not the forest level

Implicite vs explicite

Implicite

Explicit

Steps to create a Trust

  • We need to different forests let’s say osullivan.local and acme.com
  • On one of the server, open DNS manager
  • Right-click conditional redirections(Redirecteurs conditionnels) and select “New”
  • Add the information DNS name and Root Domain DC’s IP of the forest to add
  • Do the same on the other server
  • On one of the servers open Domain and approbations AD
  • Right-click on the domain, Properties, Approbations tab and click “New Approbation”
  • Give the forest’s DNS name to add
  • Choose “Forest Approbation”
  • Choose Bidirecitonal
  • In the Window “Way of approbation” we can create two extremities of a trust at the same time if we have the other forest’s admin credentials.
  • Choose “This domain and the specified domain”
  • Add credentials ex: ACME\Admin
  • Choose “Authentication for every resources of the forest”. We could also target the precise server on which the approbation works, if needed
  • Complete the approbation

AD Sites

  • AD sites divide a domain in several geographic locations
  • This division allows to manage the replication delay between DC’s
  • The DC’s can be distributed between sites if needed.
  • By default, every new Domains regroup all of it’s DC’s on the same site name “Default-First-Site-Name”
  • Limit of 1 RODC for a site
  • AD sites can is also useful to manage the replication between Exchange servers
  • Site can be linked with RPC over IP as well as SMTP(not used anymore)
  • The links between sites are WAN links or VPN servers.

Create AD Sites

  • Open up AD Sites and services
  • Select the Sites folder, right-click, new site
  • Give it a name and select the default link
  • Do the same for any other sites needed
  • Now in the Servers folder, right-click move the server to which site you want it to be
  • Now we must create a link for these sites
  • Under the folder Inter-Site Transport, right-click IP select “Link to new site”
  • Give it a name and add the involved sites to the right
  • Right-click on the new created linked, properties
  • From here we can manage the frequency of replication and the costs

Costs

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.