Understanding Active

Directory
Level 100
Ashwin Venugopal
BinaryTitans IT Solutions Pvt. Ltd.
www.binarytitans.com

www.binarytitans.com

What we are going to

Learn here?
www.binarytitans.com

Part 1

What is Directory Service?

Active Directory

ACID Property of a Database

History of Directory Service

Active Directory Sites and Services

Advantage of LDAP

Active Directory Replication

Back to Active Directory

Content

Part 2

Naming conventions

Domain Controller

DNS

Global Catalog Server

Naming Resolution
DNS
DNS Zone
DNS Zone Type
DNS Round Robin
DNS Queries & DNS Transfers
DNS & Active Directory

AD objects
AD Database
Schema
Domain, Tree and Forest

Logical and Physical Components of

Active Directory

FSMO Roles
Domain Functional Level
Forest Functional Level
Installing Active Directory
(Windows Server 2012)

www.binarytitans.com

Understanding Active
Directory Level 100
Part 1
www.binarytitans.com

 A directory service is a container that provides a hierarchical

structure and allows to store objects for quick and easy access and
manipulation. A directory service is like an electronic phone
directory that lets you search for Name and retrieve the phone
number, address, or other information without knowing where
that person lives.

What is
Directory
Service?

Before directory services, If you needed a file, you needed to know

the name of the file, the name of the server on which it is stored
and its folder path. Now this works well on small network, but as
the network grows it becomes challenging.
Directory service is the means by which users and administrators
can locate resources regardless of where those resources are
located.

Also earlier typical user could have more than one user account or
password, and as the network grows and the number of username
and password also increases, like one for File Server, one for email
server, etc.

www.binarytitans.com

 Active Directory is Microsofts answer to directory services and it

does a lot more than just locating resources.

Active
Directory

Active Directory take care of this by using Kerberos

Authentication and Single Sign-On (SSO). SSO means ability of
Kerberos to provide a user with one set of credentials and grant
them access across a range of resources and services with that
same set of credentials. Kerberos authenticates the credentials
and issues the user a ticket with which the user gains access to the
resources and services that support Kerberos.
Active Directory also makes user management more easier as it
acts as a single repository for all of this user and computer related
information.

www.binarytitans.com

 Earlier to todays directory services is X.500 specification that

emerged from the International Telecommunications Union (ITU),
formerly the CCITT (Comit Consultatif International Tlphonique
et Tlgraphique).

History of
Directory
Service

X.500 sits at the Application layer in the OSI model. X.500 contain
several component databases that work together as a single
entity.

The primary database is the Directory Information Base (DIB),

which stores information about the objects. Major limitation was
its lack of integration with Internet Protocol (IP).
Protocol it used was Directory Access Protocol, or DAP. DAP
offered more functionality than that is required for implementing
directory services, so a scaled down version called Lightweight
Directory Access Protocol (LDAP) was made. Later it was
considered as a standard by Internet Engineering Task Force
(IETF).

www.binarytitans.com

 LDAP relies on the TCP/IP stack rather than the OSI stack

Integrate with IP and enable IP clients to use LDAP to query

directory services.

Advantage of
LDAP

LDAP can perform hyper-searches. Giving one directory the ability

to defer to another to provide requested data.

LDAPs API is C-based

Like X.500, LDAP uses an inverted-tree hierarchical structure
LDAP supports Kerberos authentication, Simple Authentication
Security Layer (SASL), and Secure Sockets Layer (SSL)
Simple Authentication and Security Layer (SASL) is a framework
for authentication and data security in Internet protocols.

www.binarytitans.com

 AD is Microsofts answer to directory services and it does a lot

more than just locating resources.

Back to Active
Directory

AD uses LDAP as its access protocol.

AD relies on DNS as its locator service, enabling clients to locate
domain controllers through DNS queries.
Lets Understand Active Directory in more detail.

www.binarytitans.com

 AD contains information about objects in your enterprise.

These objects can be computers, users, printers etc.

Naming
Conventions

AD is a container with nested containers holding other containers

or objects.
And we name these container and objects so that its easy to query
or search.
AD supports several Naming Conventions.
User Principal Names, or UPN
LDAP names also known as Distinguished Name

www.binarytitans.com

 This one youll probably find most familiar, is as per RFC 822
specification.

User Principal
Names
UPN

This has the same format as your email address: Like

ashwin@binarytitans.ms
They take the form user@domain
If you have a user named User01 under Active Directory domain
Domain01.local, the UPN will be User01@Domain01.Local
Note: We will discuss more about AD domain later.

In AD you can create custom UPNs too, which means you can also
add User01@Domain01.com or User01@xyz.com as UPN for
above mentioned object.

www.binarytitans.com

 Typically it has this format

LDAP Names
aka
Distinguished
Name

cn=common name
ou=organizational unit
dc=domain
cn=Ashwin,ou=Learning,dc=BinaryTitans,dc=com
And your query would look as below
LDAP://BTSVRDCo1.binarytitans.com/cn=Ashwin,ou=Learning,dc=
binarytitans,dc=com

www.binarytitans.com

 In todays networks, you assign logical addresses, such as with IP

addressing.

Naming
Resolution

Unfortunately, these addresses tend to be hard to remember,

especially in the case of newer, more complicated IPv6 addresses.
Therefore, you need to use some form of naming service that will
allow you to translate logical names, which are easier to remember,
into logical addresses.

The most common naming service is Domain Name System, or

DNS.

www.binarytitans.com

 DNS is short for Domain Name System.

DNS

DNS is a hierarchical client/server-based distributed database

management system that translates domain/hosts names to IP
addresses.
The top of the tree is known as the root domain.
Below the root domain, you will find top-level domains, such as
.com, .edu, .org, and .net, as well as two-letter country codes, such
as .uk, .ca, and .us.

www.binarytitans.com

DNS Zones

Zone is a collection of records which share similar naming pattern.

www.binarytitans.com

 When you define DNS zones, you create the zone as either:

DNS Zones
Types

Forward lookup zone

A forward lookup zone is the most common type of zone. DNS clients can
use this zone to obtain such information as IP addresses that correspond
to DNS domain names or services that is stored in the zone.

Reverse lookup zone.

Provides mapping from IP addresses back to DNS domain names.

www.binarytitans.com

DNS Round
Robin

DNS servers use a mechanism called round-robin to share and

distribute loads for a network resource.
Round-robin rotates the order of resource records with the same
name that point to different IP addresses.

www.binarytitans.com

DNS Queries
&
DNS Transfers

DNS queries and DNS transfers occur over TCP/UDP port 53.
So, if you have any firewall between servers (including firewalls
running on the servers), you will need to open port 53.

www.binarytitans.com

 DNS Server must support

Service resource (SRV) records
Dynamic update protocol specified by RFC 2136
AD relies on DNS as its primary locator service, although its not the
only mechanism for locating domain controllers (DCs).

DNS & Active

Directory

Domain Controller is the server which has Active Directory Installed.

When a Domain Controller starts, it registers both its DNS name and
NetBIOS name. More on NetBIOS name later.
It add LDAP-specific SRV records in DNS to enable LDAP clients to
locate DCs through LDAP queries.
It also add Kerberos authentication protocol-specific SRV records to
enable clients to locate servers running the Kerberos Key Distribution
Center (KDC) service.
Also each DC also adds an A record that enables clients that dont
support SRV records to locate the DC through a simple host record
lookup.You can disable this if required.

www.binarytitans.com

 Objects in AD can be either containers for other objects or they

can be leaf objects, which do not serve as containers.

Active
Directory
objects

Objects in AD have attributes, and these attributes not only define

the object but also store data. This defines the character of that
Object.
Some attributes and optional and some are mandatory.
Optional : Phone Number
Mandatory: Username
When an Object is created AD assigns a GUID, which is a 128-bit
number and no two objects in AD have the same GUID.
And If an object is moved from AD, it doesn't delete its GUID
Objects in AD are protected by Access Control Lists (ACLs).

www.binarytitans.com

 Objects in AD can be either containers for other objects or they

can be leaf objects, which do not serve as containers.

Active
Directory
objects

Objects in AD have attributes, and these attributes not only define

the object but also store data. This defines the character of that
Object.
Some attributes and optional and some are mandatory.
Optional : Phone Number
Mandatory: Username
When an Object is created AD assigns a GUID, which is a 128-bit
number and no two objects in AD have the same GUID.
And If an object is moved from AD, it doesn't delete its GUID
Objects in AD are protected by Access Control Lists (ACLs).

www.binarytitans.com

 The ESE comprises of tables that define the structure of the

directory.
The Database Layer has three partition that define the contents of
AD with an optional 4th table or partition.
1. Schema Partition

Active
Directory
Database

This stores Active Directory Schema.

Active Directory Schema defines what are the types of objects that can
be created in the directory
How are those objects relate to one another, and what are the
mandatory and optional attributes of each object.
And how can one create such objects.

2. Configuration Partition
This contains configuration of AD.

3. Domain Partition
This partition stores the objects.

4. Application Partition
This is an optional 4th partition that an administrator can create.

www.binarytitans.com

Active
Directory
Schema

Active Directory Schema defines what are the types of objects

that can be created in the directory
How are those objects relate to one another, and what are the
mandatory and optional attributes of each object.
And how can one create such objects.
Schema requires to updates whenever you need to create a new
type of object or add anything that requires new attribute.

www.binarytitans.com

 AD Domain
Objects that are made on AD are grouped into domains.
The objects for a single domain are stored in a single
database (which can be replicated).

Domain, Tree
and Forest

AD Domain Tree
A tree is a collection of one or more domains

AD Forest
A forest is a collection of trees that share a common global
catalog, directory schema, logical structure, and directory
configuration.

www.binarytitans.com

Understanding Active
Directory Level 100
Part 2
www.binarytitans.com

ACID Property
of a Database

In computer science, ACID (atomicity, consistency,

isolation, durability) is a set of properties that
guarantee that database transactions are processed
reliably.
In the context of databases, a single logical operation
on the data is called a transaction

www.binarytitans.com

 Atomicity
Atomicity requires that each transaction is "all or nothing": if one
part of the transaction fails, the entire transaction fails, and the
database state is left unchanged.

Consistency

ACID Property
of a Database

The consistency property ensures that any transaction will bring the
database from one valid state to another.

Isolation
The isolation property ensures that the concurrent execution of
transactions results in a system state that could have been obtained
if transactions are executed serially, i.e. one after the other. Each
transaction has to execute in total isolation.

Durability
Durability means that once a transaction has been committed, it will
remain so, even in the event of power loss, crashes, or errors. Even if
the database crashes it can be restored.

www.binarytitans.com

Active
Directory Sites

Sites in Active Directory represent the physical structure, or

topology, of your network.

Managed using Active Directory Sites and Services Console.

Each Sites are connected by a Site link and each Site link has a cost
associated.

www.binarytitans.com

Active
Directory
Replication

Intrasite Replication
Intersite Replication

www.binarytitans.com

Active
Directory
Replication

Intrasite Replication

Happens between DCs in the same site.

Replication happens 15 seconds after a change.
This happens automatically.
Intrasite topology is automatically generated by KCC
(Knowledge consistency checker) which runs on every DC.

www.binarytitans.com

 Intersite Replication

Active
Directory
Replication

This is not created automatically. Administrator makes.

Active Directory will automatically pick a Domain
Controller from each site to act as a Bridgehead server.
Bridgehead servers replicate changes between the
sites. This is much efficient than every DCs attempting
to replicate to other sites.
When a change happens to the bridgehead server
change is replicated to all other domain controllers inn
that site.
Administer can manually select the bridgehead server,
they are called preferred bridgehead server. If they are
selected manually and if those DCs arent available no
replication will occur.
Each of these sites are connected each other by Site
Link.

www.binarytitans.com

 Site Link

Active
Directory
Replication

Determine the schedule of replication.

Allows to configure a cost
Cost determines at what priority these links should be
used. Lower cost, higher priority
KCC running on bridge will act as ISTG (InterSite
Topology Generator.
Whenever a site link goes down, KCC creates a new
InterSite Replication Topology. KCC runs every 15 mins.

www.binarytitans.com

 Transport Protocol
RPC over IP

Active
Directory
Replication

Supports every type of data replication required for Active

Directory
Synchronous
Used when the connectivity is reliable.
Always used for Intrasite replication.

SMTP
Can replication everything other than file replication. Files
Login Scripts and Group Policies.
Asynchronous
Used when the connectivity is unreliable.
RPC over IP is normally used in the real world.

www.binarytitans.com

 Multi Master

Active
Directory
Replication

Multi-master replication is a method of database

replication which allows data to be stored by a group of
computers, and updated by any member of the group.

Single Master
Single-master replication is a method of database
replication which allows data to be stored by a group of
computers, but can only be updated by one member of
the group.

www.binarytitans.com

 Replsummary operation quickly and concisely summarizes the

replication state and relative health of a forest.
repadmin /replsummary

Active
Directory
Commands

Synchronizes a specified domain controller with all replication

partners, and reports if the sync was successful or not
repadmin /syncall /e
repadmin /syncall /Aped
A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )

Forces the KCC on targeted domain controller(s) to immediately

recalculate its inbound replication topology
repadmin /kcc *

www.binarytitans.com

 Replsummary operation quickly and concisely summarizes the

replication state and relative health of a forest.
repadmin /replsummary

Active
Directory
Commands

Find the last time your DCs were backed up, by reading the
DSASignature attribute from all servers
Repadmin /showbackup *

Output all replication summary information from all DCs

Repadmin /showrepl *

Displays inbound replication requests that the domain controller

has to issue to become consistent with its source replication
partners.
Repadmin / queue *

www.binarytitans.com

 List all the Domain Controllers in Active Directory

DSQUERY Server -o rdn

Active
Directory
Commands

Displays calls that have not yet been answered, made by the
specified server to other servers
repadmin /showoutcalls *

List the Topology information of all the bridgehead servers

repadmin /bridgeheads * /verbose

Inter Site Topology Generator Report

repadmin /istg * /verbose

www.binarytitans.com

 Displays a list of failed replication events detected by the

Knowledge Consistency Checker (KCC).
repadmin /failcache *

Active
Directory
Commands

Lists all domains trusted by a specified domain

Repadmin /showtrust *

Displays the replication features for, a directory partition on a

domain controller.
repadmin /bind *

Dcdiag analyzes the state of domain controllers in a forest or

enterprise and reports any problems to help in troubleshooting
dcdiag /c /e /v

www.binarytitans.com

Domain
Controller

Server which has Active Directory installed

Uses LDAP port 389 for communication

www.binarytitans.com

Global Catalog
Server

The global catalog is a domain controller that contains a

searchable, partial representation of every object in every domain
in a multi domain Active Directory forest.
Uses non standard LDAP port 3268 for communication.

www.binarytitans.com

 Directory System Agent (DSA) Layer

The directory service component that runs as Ntdsa.dll on each domain
controller, providing the interfaces through which services and processes
gain access to the directory database.

AD Database
Layer

ESE Layer
JetEngine

Database Layer
Schema Partition
Config Partition
Domain Partition

Application Partition

www.binarytitans.com

 LDAP Layer
The primary interface for AD DS access. Directory clients use LDAP v3 to
connect to the DSA through the LDAP interface. The LDAP interface is
part of Wldap32.dll. LDAP v3 is backward compatible with LDAP v2.

AD Database
Layer

REPL Layer
The replication management
interface.

SAM Layer
Proprietary interface for
connecting to the DSA on
behalf of clients that run
Windows NT 4.0 or earlier.

www.binarytitans.com

 Logical Components

Logical and
Physical
Components
of Active
Directory

Domain
OU
Objects
Global Catalog
Tree
Forest
Group Policy

Physical Components
Domain Controller
Sites
Site Link

www.binarytitans.com

 FSMO Roles aka Operations Roles

(Flexible Single Master Operations Roles)

Forest Wide
Schema Master:

FSMO Roles
aka Operations
Roles

The schema master domain controller controls all updates and

modifications to the schema. Once the Schema update is
complete, it is replicated from the schema master to all other
DCs in the directory. To update the schema of a forest, you
must have access to the schema master.
There can be only one schema master in the whole forest.

Domain naming master:

The domain naming master domain controller controls the
addition or removal of domains in the forest. This DC is the only
one that can add or remove a domain from the directory. It can
also add or remove cross references to domains in external
directories.
There can be only one domain naming master in the whole
forest.

www.binarytitans.com

 FSMO Roles aka Operations Roles

(Flexible Single Master Operations Roles)

Domain Wide:
Infrastructure Master:

FSMO Roles
aka Operations
Roles

When an object in one domain is referenced by another object

in another domain, it represents the reference by the SID and
the DN of the object being referenced. The infrastructure
FSMO role holder is the DC responsible for updating an object's
SID and distinguished name in a cross-domain object reference.
At any one time, there can be only one domain controller
acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a
domain controller that is not a Global Catalog server (GC). If the
Infrastructure Master runs on a Global Catalog server it will stop
updating object information because it does not contain any
references to objects that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in
the forest.

www.binarytitans.com

 FSMO Roles aka Operations Roles

(Flexible Single Master Operations Roles)

Domain Wide:

FSMO Roles
aka Operations
Roles

Relative ID (RID) Master:

The RID master is responsible for processing RID pool requests
from all domain controllers in a particular domain. When a DC
creates a user or group, it attaches a unique Security ID (SID) to
the object. This SID consists of a domain SID (the same for all
SIDs created in a domain), and a relative ID (RID) that is unique
for each security principal SID created in a domain. Each DC in a
domain is allocated a pool of RIDs that it is allowed to assign to
the security principals it creates. When a DC's allocated RID pool
falls below a threshold, that DC issues a request for additional
RIDs to the domain's RID master. The domain RID master
responds to the request by retrieving RIDs from the domain's
unallocated RID pool and assigns them to the pool of the
requesting DC.
At any one time, there can be only one domain controller
acting as the RID master in the domain.

www.binarytitans.com

 FSMO Roles aka Operations Roles

(Flexible Single Master Operations Roles)

Domain Wide:
PDC Emulator:

FSMO Roles
aka Operations
Roles

The PDC emulator is necessary to synchronize time in an enterprise. At any

one time, there can be only one domain controller acting as the PDC
Emulator in each domain.

The PDC emulator role also does the following functions:

Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad
password failure message is reported to the user.
Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done

from the GPO copy found in the PDC Emulator's SYSVOL share,
unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft
Windows NT 4.0 Server-based PDC or earlier PDC performs for
Windows NT 4.0-based or earlier clients.

www.binarytitans.com

 Active Directory has functional levels at the domain and

forest levels which determine which Active Directory
features are available. The higher the functional level the
more features available.

Domain
Functional
Level

The different domain functional levels are:

Windows 2000 native
Gives basic Active Directory functionality

Windows Server 2003

Allows the computer name of a domain controller to be
changed.
Adds last login time stamp to each user account
Adds UserPassword to iNetOrgPerson object. This is used when
migrating from a 3rd party directory service. It allows the 3rd
party password to be stored in Active Directory.
Constrained delegation.

www.binarytitans.com

 Windows Server 2008

DFS for replication of SysVol share.

Advanced Encryption System (AES) for Kerberos
Additional last login details. Adds attributes like number of failed login
attempts.
Fine-grained password. Allows multiple password policies to be defined in
the same domain.

Domain
Functional
Level

Windows Server 2008 R2

Authentication Mechanism Assurance. Adds details to the Kerberos ticket

about how it was authenticated, e.g., if a SmartCard was used to
authenticate the user.
Automatic SPN (Service Principal Names) management.

Mixed or Interim

Upgraded from an NT4 domain and may have some domain controllers that
are still NT4.

Windows Server 2012

Windows Server 2012 R2
Windows Server 2016
More Details

www.binarytitans.com

 Active Directory has functional levels at the domain and

forest levels which determine which Active Directory
features are available. The higher the functional level the
more features available.

Forest
Functional
Level

The different forest functional levels are:

Windows 2000
Windows Server 2003
Windows Server 2008
Windows Server 2008 R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
More Details

www.binarytitans.com

Windows Server
Administrator Jobs in
India
www.binarytitans.com

Windows
Server
Administrator
Jobs

Lets take a look at the leading Job Portals.

Naukri.com
Monster.com
Shine.com

www.binarytitans.com

 Want this document offline?

Click here.
Add your review here.

Ready To Deploy Training from BinaryTitans.

Here we cover the following:

Now willing to
learn more?

a.
b.
c.
d.
e.

Installing and Configuring Windows Server 2012

Administering Windows Server 2012
Configuring Advanced Windows Server 2012 Services
Designing and Deploying Microsoft Exchange Server 2016
Cisco Certified Network Associate

To enroll, reach out to BinaryTitans Administration Team

enroll@binarytitans.com
+91 80 50158271

www.binarytitans.com

Thank you for reading

www.binarytitans.com