468x60 Ads

Thursday, January 2, 2014

001 - Active Directory Partitions

Active Directory



From Wikipedia,

Active Directory (AD) is a directory service implemented by Microsoft for Windows domain networks. It is included in most Windows Server operating systems.
An AD domain controller authenticates and authorizes all users and computers in a Windows domain type network—assigning and enforcing security policies for all computers and installing or updating software. For example, when a user logs into a computer that is part of a Windows domain, Active Directory checks the submitted password and determines whether the user is asystem administrator or normal user.[1]
Active Directory makes use of Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version of Kerberos, and DNS.

End



Contents


Introduction


Active Directory contain 4 partitions:


Partition name
Console
Domain Partition
Active Directory Users and Computers
Configuration Partition
Active Directory Sites and Services
Schema Partition
mmc _ Active Directory Schema (regsrv32 schmmgmt.dll)
Application Partition
DNS Console

In order to install these 4 partition, we must have an NTSF partition, and a minimum space of 250 mb.

Before we start our tour, keep in mind that every operation related to a partition, can basically configured, and managed from the console attached to that partition.

Domain Partition


Contain all the objects inside my domain controller, means (users, OU, computers, groups, contacts …), any time you touch one of these object, you basically interact with the domain partition.

For the other object like (printers, and shared folder, …) they must have a link on active directory, so you manipulate them as a part of the domain partition, because shared folder for example can be located inside a server file, and can have no relation at all with the domain controller.

Configuration Partition


Before we go to the notion of this partition, let’s first discuss the philosophie used by Microsoft servers, to let a users access a particular data:




Now, you that understand how the authentication method is, let’s take another concept

Let’s assume that we have two sites, and a new user just hired as described in the following scheme:




Ok, how the domain controller, know about the new user, and how he decide to give him access to the data?

Global Catalogue


Is like a center contain information about all the ressources on the forest, and in order to keep track of these ressources, he do something called replication, wich mean replicate information between authorized domain controllers.
This is how the additional domain controller knew about the ressources on the 1 site, and this is how the new user gain access to the ressources that have permission on.

All of that require configuration, and all of it happen inside the configuration partition.

Schema Partition


Contain two parts: classes and attributes (properties of the classes), his role is to write information about users and computers.
For example when you install exchange server, you execute the command prepare id, for what?

Of course, to extend the schema, which means add extra properties to the classes, for example users and computers, all of that will be clear soon, don’t worry J.

Application Partition


Is the DNS, and he is optional, means that if the type of the zone is integrated zone, then you have 4 partitions, otherwise if it’s primary zone, then you only have 3 partitions.

Inheritance


Additional domain controller, toke whatever partitions available on the primary domain controller.
Child and tree toke only the schema and the configuration partition, configuration because he need to access the ressources, defined by the global catalogue, we saw before, schema as we will see later in exchange you can install it once on the whole forest.

Domain partition did not inherited because its unique, every one has its on st of object, where is the application partition optional, wich mean you can decide, by the type of the zone you chose.

Installation


I said before that the application partition is optional, but in reality its not, it’s the must important component, why?
Because it contain the DNS, and the DNS must be installed with the active directory, not later, but with the installation of active directory, or you domain will suffer a horrible life, tel you reformat it again, and you don’t wanna do that.
Now, let’s start the fun part J

Start you clean server 2008, no installation no configuration just clean as virgin J

Setting IP Address


We need to tel our domain controller that his is the DNS server, and we do that by specifying the same IP, both field as you see here:



In other word: “the server contain active directory, need to be one with the DNS”
Of course you can, if you ask you can install a secondary DNS in completely different server DHCP server for example, or even workgroup.
Another experiment, to better understand this concept, when you finish installation, change the type of the zone, to primary zone, then go and check ‘System32\DNS’ and you will find the database, no change the type of the zone to integrated zone, then go back to the previous location, what do you see, where is the database?

Now the database is in ‘\NTDS’, take a look (DNS_database.avi).





Run dcpromo, and chose advanced feature, and hit next, make sure you are here:




Keep in mind when you take this option, that the 1st forest take the 1st domain name as its name.

Hit next




Enter the domain name, and hit next, the forest name in this case will be also ‘hun7r.local’, because as I said before, the first forest take the name of the 1st domain within this forest.
Accept the default NetBIOS name, and hit next.
Before I continue, I want to mention that the NetBIOS name used for the broadcast, where the FQDN name used with the DNS.
Chose the forest functional level, every mode open new features, read the detail section the review these features, for now I’ll just stick with 2000, do as I do if you follow my tutorials, I’ll be explain later why, whene we rich advanced stuff.
For now, you can assume that the forest functional level, decid what kind of servers this forest will have.
Accept the default, and hit next, make sure DNS is checked, otherwise you will suffer, then continue.


We discuss NTDS and log file, before on the introductory, for the SYSVOL that is for the policies, by default its shared and follow the users every where.
And that’s its couple of more next’s, before I forget you may wanna export the settings you just set in case ..

This is where the wizard start creating all the partitions we discuss early, one by one



Wait tel the installation end, restart your computer, and happy new domain controller J

Note

There is a couple of thing I want to mention here,
  • ·         There is no such thing as SAM file, all the users even the local user that was there before installing the domain controller, are now inside active directory, and they can not access this computer that unless you enable access domain controller locally, you cab check that from (computer, manage), 



  • ·         Open (active directory users and computers), any new thing you add modification you do anything from this console, that mean that you are playing on the domain partition ground.
  • ·         For the story I said before about the published folder, you may wanna take a look at this demo (publish_folder.avi)




  •  on this demo the time I set the folder to be published, the time LDAP can reach it from users and computers console, this mean that its now one of the component that you can play with, within the domain partition.

Consoles

Active Directory Sites and Services

From this console, you can manage the configuration partition, but before there is also a couple of note I want to mention:

  • ·         Sites is the physical location where you can find the serves, by default windows create (Default-First-Sites-Name), which contain all the available servers, but you can create multiple sites, according to how many location you have.


  • ·         Subnet , now we create the sites, but how windows is gonna tel that this Server/Child is from this site? Every site has its own subnet, so from this console, we tel the server the subnet used by each site, and when we create a server with a particular subnet, the configuration partition will magically put that server to the preferred site.


Then you add the subnet, and select a site and hit OK button:



We will delve into this in more detail, in later tutorial J

Active Directory Schema


From where you manage Schema Partition, in order to run this console you need 1st to register schmmgmt.dll file, using this command regsvr32 schmmgmt.dll,then run it from mmc, the video (run_schema_console.avi) explain how to do that in more detail J




ADSI Edit


Allow you to manage all Active Directory Partition from one place, it’s by default installed on Server 2008, but on Server 2003, you need to install it.
You can take a look at (install_adsiEdit_2003.avi).




That’s it
Feel home and be my guest

Dr_Hun74

No comments :

Post a Comment