Active Directory Fundamentals Presented by Ram Pratap Singh

How Objects Are Stored and Identified In data store A similar fashion as file system containers Non-containers object Each entry called data store

Uniquely Identifying Objects locatable and identifiable universally unique identifier (UUID) GUID creation API function

Building Blocks Domains and Domain Trees Forests Organizational Units The Global Catalog Flexible Single Master Operator (FSMO) Roles Time Synchronization in Active Directory Domain and Forest Functional Levels Groups

Domains Group of network objects Logical group that share the same AD database share the same space The permissions

Domain Trees A collation of one or more domain A transitive trust hierarchy A security mechanism to authenticate and authorize access

Forest A forest is a collection of one or domain tree Forest root domain Never remove the forest root domain Share a common global catalog Transitive trusts

Organizational Units Having covered the large-scale (domains, trees, and forests) view of AD OUs are often used almost exclusively for building object hierarchies within a domain OUs to create and delete accounts, change passwords

The Global Catalog The GC can be accessed via LDAP over port 3268 The Global Catalog is read-only and cannot be updated directly The Global Catalog are members of the partial attribute set(PAS

Flexible Single Master Operator (FSMO) Roles There are five roles, three exist for every domain, and two apply to the entire forest. Schema master (forest-wide) Domain naming master (forest-wide) PDC emulator (domain-wide) RID master (domain-wide) Infrastructure master (domain-wide)

Schema master (forest-wide) That is allowed to make updates to the schema No other server can process changes to the schema The first DC to promote in a forest

Domain naming master (forest-wide) Controls changes to the forest-wide namespace Adds and removes domains Rename or move domains within a forest Authorize the creation of application partitions

PDC Emulator (domain-wide) The PDC has important legacy functions Acts as the PDC for down-level clients Maintain the latest password Primary time source for the domain

RID master (domain-wide) A relative identifier (RID) master exists per domain RID base on security identifier (SID) Security permissions Security verification Generating and maintaining a pool of unique values

Infrastructure master (domain-wide) Maintain references to objects The infrastructure master is work as phantoms Similar as global catalog Responsible for updating an object’s SID and distinguished name

Time Synchronization in Active Directory Domain controllers and domain members having synchronized clocks Clocks to verify the authenticity of Kerberos packets The w32time service implements time synchronization PDC emulator synchronizes its clock with a reliable outside time source

Configuring W32Time on the PDC Emulator configure the PDC emulator, you will need to identify one or more authoritative external time sources. For this example we will use the NTP Pool Project’s (http://www.pool.ntp.org) NTP servers: w32tm /config /update /manualpeerlist:"0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org" /syncfromflags:manual /reliable:YES w32tm /resync /rediscover /nowait

Forest and Domain Functional Levels

Windows 2000 Native Features Forest functional level- All of the default AD DS features are available. Domain functional level- All of the default AD DS features and the following directory features are available including:- Universal groups for both distribution and security groups. Group nesting Group conversion, which allows conversion between security and distribution groups Security identifier (SID) history

Windows 2000 Native Features Supported Domain Controller Operating System: Windows Server 2008 R2 Windows Server 2008 Windows Server 2003 Windows 2000

Windows Server 2003 Features Forest functional level features- All of the default AD DS features, and the following features, are available: Forest trust Domain rename Linked-value replication The ability to deploy a read-only domain controller (RODC) Improved Knowledge Consistency Checker (KCC) algorithms and scalability Dynamic Object in a domain directory partition Create instances of new group types to support role-based authorization

Windows Server 2003 Features Domain functional level features- All the default AD DS features, all the features that are available at the Windows 2000 native domain functional level. The domain management tool, Netdom.exe Logon time stamp updates Last Logon Time stamp The ability to set the userPassword attribute on (inetOrgPerson) The ability to redirect Users and Computers containers Constrained delegation Selective authentication Supported Domain Controller Operating System: Windows Server 2012, 2012 R2 Windows Server 2008, 2008 R2 Windows Server 2003

Windows 2008 Features Forest functional level features- All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. Domain functional level features- All of the features that are available at the Windows Server 2003 forest functional level, but no additional features are available. Distributed File System (DFS) Domain-based DFS Advanced Encryption Standard (AES 128 and AES 256) support for the Kerberos protocol. Last Interactive Logon Information Fine-grained password policies Personal Virtual Desktops

Windows 2008 Features Supported Domain Controller Operating System: Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 2008 Windows 2008 R2

Windows 2008 R2 Features Forest functional level features- All of the features that are available at the Windows Server 2003 forest functional level, plus the following features: Active Directory Recycle Bin, which provides the ability to restore deleted objects in their entirety while AD DS is running. Domain functional level features- All default Active Directory features, all features from the Windows Server 2008 domain functional level, plus the following features: Authentication mechanism assurance Automatic SPN management

Windows 2008 R2 Features Supported Domain Controller Operating System: Windows Server 2016 Windows Server 2012 R2 Windows Server 2012 Windows 2008 R2

Windows 2012 Features Forest functional level features- All of the features that are available at the Windows Server 2008 R2 forest functional level, but no additional features. Domain functional level features- All default Active Directory features, all features from the Windows Server 2008R2 domain functional level, plus the following features: The KDC support for claims, compound authentication, and Kerberos armoring KDC administrative template policy has two settings (Always provide claims and Fail unarmored authentication requests) that require Windows Server 2012 domain functional level.

Windows 2012 Features Supported Domain Controller Operating System: Windows Server 2016 Windows Server 2012 R2 Windows Server 2012

Windows 2012 R2 Features Forest functional level features- All of the features that are available at the Windows Server 2012 forest functional level, but no additional features. Domain functional level features- All default Active Directory features, all features from the Windows Server 2012 domain functional level, plus the following features: DC-side protections for Protected Users Authenticate with NTLM authentication Use DES or RC4 cipher suites in Kerberos pre-authentication Be delegated with unconstrained or constrained delegation Renew user tickets (TGTs) beyond the initial 4 hour lifetime Authentication Policies Authentication Policy Silos

Windows 2012 R2 Features Supported Domain Controller Operating System: Windows Server 2016 Windows Server 2012 R2

Windows 2016 Features Forest functional level features- All of the features that are available at the Windows Server 2012R2 forest functional level, and the following features, are available: Privileged access management (PAM) using Microsoft Identity Manager (MIM) Domain functional level features- All default Active Directory features, all features from the Windows Server 2012R2 domain functional level, plus the following features: DCs can support rolling a public key only user's NTLM secrets. DCs can support allowing network NTLM when a user is restricted to specific domain-joined devices. Kerberos clients successfully authenticating with the PKInit Freshness Extension will get the fresh public key identity SID.

Windows 2016 Features Supported Domain Controller Operating System: Windows Server 2016

Groups Groups are two types Groups are used to collet user account, computer accounts and other groups in to manageable unite Groups are two types Distribution (mail) Group Security (permission) Group

Active Directory supports group scopes There are three scopes Domain local Domain global Domain universal

Infrastructure master (domain-wide) Maintain references to objects The infrastructure master is work as phantoms Similar as global catalog Responsible for updating an object’s SID and distinguished name