Archive for February, 2013

 

  1. Active Directory contains information about all objects and their attributes. The attributes hold data that describes the resource that the directory object identifies. Because information about all network resources is stored in Active Directory, a single administrator can centrally manage and administer network resources.
  2. Active Directory can be queried by using protocols such as LDAP. Administrators can easily locate information about objects by searching for selected attributes of the object, using tools that support LDAP.
  3. Active Directory allows you to group objects with similar administrative and security requirements into organizational units. Organizational units provide multiple levels of administrative authority for both applying Group Policy settings and delegating administrative control. This delegation of administrative authority simplifies the task of managing these objects and allows administrators to structure Active Directory to fit their needs.
  4. Active Directory uses Group Policy to provide administrators with the ability to specify Group Policy settings for a site, domain, or organizational unit. Active Directory then enforces these Group Policy settings for all of the users and computers within the container.

 

Advertisements

The FSMO role owners are stored in Active Directory in different locations depending on the role. The DN of the server holding the role is actually stored as the FSMO Role Owner attribute of various objects. For the Ignitedsoul.com domain, here are the containers that hold that attribute in the following order: PDC Role Owner, Infrastructure Master, RID Master, Schema Master, and Domain Naming Master:

LDAP://dc=Ignitedsoul,dc=com

LDAP://cn=Infrastructure,dc=Ignitedsoul,dc=com

LDAP://cn=RID Manager$,cn=System,dc=Ignitedsoul,dc=com

LDAP://cn=Schema,cn=Configuration,dc=Ignitedsoul,dc=com

LDAP://cn=Partitions,cn=Configuration,dc=Ignitedsoul,dc=com

The information in the attribute is stored as a DN, representing the NTDS Settings object of the domain controller that is the role owner. So, example contents for this attribute are:

CN=NTDS Settings, CN=MYSERVER1, CN=Servers, CN=My Site, CN=Sites,

CN=Configuration, DC=Ignitedsoul, DC=com

 

Issue:

–          The Remote connection gets established but gets disconnected moments before you get the Desktop.

Symptoms:

–          You are able to Ping the Server

–          The Server seems to be fine when checked in Console.

–          All the RDP Services seems to be fine.

–          When trying to take Remote connection, the connection gets established, but closes automatically with an error.

–          It asks to check the Network connections or the Remote desktop Services.

Resolution:

–          The Main Culprit here is : rdpcorekmts.dll file in C:\Windows\System32 location

–          All you need to do it replace this .dll file with same file in any working server.

–          You need to rename the file to : rdpcorekmts.old

–          You cannot rename the file directly as the Administrator too has only read permission on this file.

–          First you need to take ownership of this file.

–          Then you need to edit the security permissions and give full control for the Administrator or your account.

–          Only then you can rename the file.

–          Now copy the rdpcorekmts.dll file from any working server and paste in the System32 folder of the server with issue.

–          This replacement resolves the issue, and you can take RDP of the Server normally.

Active Directory is made up of components that constitute its logical and physical structure. To administer Active Directory, we must understand the purpose of these components

 

Logical Structure: The logical structure of Active Directory provides methods for organizing network resources such as computers, printers, users and groups. It is made up of objects, organizational units, domains, domain trees, and forests.

 

1. Objects

The object is the most basic component of the logical structure. Object classes are template for the types of objects that can be created in Active Directory. Each object class is defined by a group of attribute. Attributes define the possible values that can be associated with an object. Each object has a unique combination of attribute values.

 

2. Organizational units

Organizational units are container objects that are used to group other objects in a manner that supports your administrative purposes. By grouping objects by organizational unit in a logical fashion, it becomes easier to locate and administer objects. We can also delegate the authority to administer an organizational unit.  Organizational units can be nested in other organizational units. By nesting organizational units, we can further simplify the administration of objects.

 

3. Domains

Domains are the core functional units in the Active Directory logical structure. A domain is a collection of objects that share a common directory database, security policies, and security relationships with other domains.  Domains provide the following three functions:

  • • Serve as an administrative boundary for objects
  • • Help to manage security for shared resources
  • • Serve as a unit of replication for objects

 

4. Domain Trees

Domains can be grouped together in hierarchical structures that are called trees. When a second domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child domain is attached is called the parent domain. A child domain may in turn have its own child domain.  The name of a child domain is combined with the name of its parent domain to form its own unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.

 

5. Forests

Forests are made up of one or more trees, although a single two-level tree is recommended for most organizations. A two-level tree is when all child domains are made children of the forest root domain to form one contiguous tree. The first domain in the forest is called the forest root domain, and the name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory. By default, the information within Active Directory is shared only within the forest. In this way, the forest is a security boundary for the information contained in the instance of Active Directory.

 

Physical Structure: The physical structure of Active Directory models the physical structure of the network, and is made up of domain controllers and sites. The physical structure of Active Directory defines where and when replication and logon traffic occur, and is used to and manage network traffic. The physical structure enables you to optimize network traffic by determining when and where replication and logon traffic occur.  The elements of the Active Directory physical structure are:

 

1. Domain controllers Domain controller performs storage and replication functions. A domain controller can support only one domain. A domain can have one or more domain controllers.

 

2. Active Directory sites Created mainly to optimize replication traffic and to enable users to connect domain controllers by using reliable, high speed connection. A site is a group of well-connected computers. When sites are established, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site. Latency is the time required for a change that is made on one domain controller to be replicated on other domain controllers. You create sites to optimize the use of bandwidth between separated domain controllers. There can be multiple domains in a single site and single site can have multiple sites.

 

Note: We use Logical structure to organize the network resources and Physical structure to manage the network traffic.

 

Active Directory enables a single sign-on, which makes the complex processes of authentication and authorization transparent to the user. A single sign-on is made up of authentication, which verifies the credentials of the connection attempt, and authorization, which verifies that the connection attempt is allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can access the resources for which they are authorized without thinking about the processes that occur behind the scenes. However, as a systems engineer, we must understand how these processes work in order to troubleshoot the Active Directory structure.

 

The single sign-on process occurs as follows:

 

  1. The user enters credentials at a workstation to perform an interactive logon.
  2. The credentials are encrypted by the client and sent to a domain controller for the client’s domain.
  3. The encrypted credentials that are sent from the client are matched against the encrypted credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC), resides on each domain controller and stores the encrypted user credentials. If the credentials sent by the client match the credentials stored by the KDC, the process continues.
  4. The domain controller creates a list of the domain-based groups to which the user belongs.
  5. The domain controller queries the global catalog to identify the universal groups to which the user belongs. If the domain controller has Universal group membership caching enabled, the global catalog is not queried and the Universal group memberships are obtained from the cache on the domain controller.
  6. The KDC issues the client a ticket-granting ticket (TGT). The TGT contains the encrypted security identifiers (SIDs) for the groups of which the user is a member.
  7. The client requests access to a resource that resides on a specific server.
  8. The client uses the TGT to gain access to the ticket-granting service (TGS), on the domain controller.
  9. The TGS issues a service ticket, which is also called a session ticket, for the server where the resource resides to the client. The session ticket contains the SIDs for the user’s group memberships.
  10. The client presents the session ticket to the server where the resource resides. The Local Security Authority (LSA) on the server uses the information in the session ticket to create an access token.
  11. The LSA compares the SIDs in the access token with the groups that are assigned permissions in the resources discretionary access control list (DACL). If they match, the user is granted access to the resource.

 

Record type

Name

Description

A Address Record Maps a hostname to an IP address
PTR Pointer Record Maps an IP address to a hostname
CNAME Alias Record Maps an alias to a hostname
MX Mail Exchanger Record Specifies a mail route for a domain
NS Name Server Record Specifies name servers for a given domain
SOA Start of Authority Record Contains administrative data about a zone, including the primary name server
SRV Service Record Maps a particular service (e.g., LDAP) to one or more hostnames

One important resource record to note is the SRV record type. SRV records are used extensively by domain controllers and Active Directory clients to locate servers that have a particular service.