THE UNIVERSITY OF SCIENCE, VNU-HCM

FACULTY OF ELECTRONICS AND TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS AND NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter 1 Windows Domain

ACTIVE DIRECTORY
01
September 13, 2022

Nguyen Viet Ha, Ph.D. Email: [email protected] 2

Workgroup Workgroup

❖A peer-to-peer group of computers that share resources. ❖As small as two computers, or it can scale up to be quite large.

➢Small pool of systems ideally 15 or less. 200 systems.

➢Decentralized in every way.
o May have a central server using to consume various services. ❖Self-authentication and self-authorization
for access to resources.

o Or share data from individual workstations.

Overload Weak
3/70
/50 4/70
/50
 Workgroup Workgroup

❖Authentication ❖The authentication process for the user log-in

➢When connecting to a shared resource on a computer, you are first is at the local computer.
prompted to supply a valid username and password on that
computer that has permissions to access the resource.
❖Windows stores user accounts and security descriptors in a database
file called Security Account Manager (SAM).
➢It authenticates local user logons.
➢The SAM database resides in the Windows registry.
(C:\WINDOWS\system32\config)
➢Available on Windows XP, Vista, 7, 8.1, 10, and 11.
5/70
/50 6/70
/50

Workgroup Workgroup

❖SAM objects include the following: ❖Advantages:

➢SAM_ALIAS: A local group ➢Very simple to manage.

➢SAM_GROUP: A group that is not a local group

➢Simply configure a resource for sharing and define who
➢SAM_USER: A user account you want to share that resource with because
everything is set locally.
➢SAM_DOMAIN: A domain

➢SAM_SERVER: A computer account

➢Inexpensive option because you don’t need multiple
servers to support a workgroup.

7/70
/50 8/70
/50
 Workgroup Domain

❖Disadvantages: ❖A logical grouping of computers that authenticate

➢Low security. to a central database of users stored on special

servers called domain controllers.
o Passwords may not be changed very often.
▪ If they are changed, a user may update his password on a few
➢When users log into a computer that is joined
systems but not on all of them, and then end up out of sync.
to a domain, their usernames and passwords
are authenticated on the nearest domain
➢Less scalability.
controller.

❖
9/70
/50 10/70
/50

Domain Domain

❖Once authenticated, the user receives a token that follows them ❖The software components that provide for this functionality are
around the network and automatically proves their identity to other collectively called Active Directory.

domain-joined servers and clients. ➢Contains many other services and components to centrally manage

➢Allow to access resources that specifically grant them access. and secure the computers that are joined to the domain.
o Group Policy can also be used to configure operating system
settings, security, and software for different computers and users
❖Only need to authenticate once to a domain controller to prove their
in the domain.
identity to all domain members, this feature is called single sign-on.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
11/70
/50 12/70
/50
 Domain

❖Advantage ❖Disadvantage
➢Centralization ➢Complex
➢Manageability ➢High level of administration
➢Scalability ➢High-performance devices (server, router,
➢Tight Security switch) 2 Active Directory
➢Single-Sign-On ➢Expensive

13/70
/50 14

Active Directory Domain

❖A directory service that stores user/computer accounts, applications, ❖AD DS consists NTDS.DIT (New Technology Directory Service.
printers, shared folders, group policies, and all kinds of records. Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit)
➢The main Active Directory service is Active Directory Domain
Services (AD DS). ➢is a database that stores all Active Directory data, including
o Provide centralized authentication and support single sign-on to information about user objects, groups and group membership as
computers on the network that are joined to an Active Directory well as password hashes for domain users.
domain.

15/70
/50 16/70
/50
 Domain

❖Logically separated into the following partitions: ❖Each domain controller (DC) has
➢Schema Partition: contains the definition of objects and rules for a centralized copy of the Active
their manipulation and creation in an active directory. Directory database.
➢Configuration Partition: contains the forest-wide active directory
topology including DCs and sites and service.
➢Domain Partition: contain information about users, groups,
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
17/70
/50 18

Active Directory Active Directory

❖After the domain controller validates your user name and password, it ❖When you access a shared resource on another computer in domain,
issues your computer an encrypted token that lists: your token is automatically sent with the request to the target computer
➢Domain user account. to verify your identity.

➢Domain group accounts of which you are a member.

➢You are then granted or denied access to the resource according to

➢Tokens can only be decrypted by computers that participate in the the permissions assigned to your domain user and group accounts

same Active Directory domain. listed within the resource’s ACL (Access Control List).

➢Destroyed when you log out of your system.

19/70
/50 20/70
/50
 Active Directory

❖AD DS is composed of both logical and physical components

3 Active Directory Structure

21/70
/50 22

Active Directory Objects Active Directory Objects

❖An object is the most basic component ❖Leaf objects: represent a user account, group account, computer
in the logical structure of AD defined account, network resources published to the Active Directory database
within the Active Directory database. e.g., (shared printers).

❖Container objects: used to group leaf objects for ease of

administration and the application of Group Policy. There are three main
❖The Active Directory schema stores a list container:
of all available object types (called ➢Domains
classes, e.g., user) and their associated ➢Organizational units (OUs)
properties (called attributes).
➢Sites
23/70
/50 24/70
/50
 Active Directory Objects Active Directory Objects

❖Domain (or Active Directory domain): used to group and manage ❖Organizational Unit (OU): contains leaf objects or other OUs (called
objects. child OUs).
➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com. ❖The OU structure you create
➢Each domain object often represents a separate business unit within for each domain should
your organization and can contain OUs as well as leaf objects. reflect the structure
within that particular
business unit.

25/70
/50 26/70
/50

Active Directory Objects Active Directory Forests and Trees

❖Site: represent physical locations within your organization. ❖Domains are often used to represent a single business unit within an
➢Each physical location contains a LAN that communicates with other organization. => suitable for smaller organizations.
physical locations over an WAN/Internet connection.
➢By representing each physical location with a site object, you can ❖Larger organizations often have multiple business units, and each
create settings that control the replication of Active Directory business unit may need to access resources within other business units.
information across the Internet.

❖Active Directory forests are used to provide for multiple domains within
the same organization.

27/70
/50 28/70
/50
 Active Directory Forests and Trees Active Directory Forests and Trees

❖Forest: a collection of Active Directory domains that share a schema ❖When install the first domain controller within the first domain in an
and some security principals. organization, a forest is created with the same name as this first
➢The vast majority of organizations in the world have a single forest domain.

domain. ❖The first domain in a forest is called the forest root domain.
➢Multiple domain forests are generally used by larger geographically
dispersed organizations. domain2.com
domain1.com
(forest root domain)

hcm.domain2.com hn.domain2.com

domain1.com FOREST
29/70
/50 30/70
/50

Active Directory Forests and Trees Forest Tree

Root Root
❖Trees: a collection of one or more domains that share a common HCM.com HN.com
Domain Domain
namespace Tree
Root
➢Ex: domain2.com, hcm.domain2.com, and hn.domain2.com Domain
domains share the same core domain name, we refer to them as the Q1.HCM.com Q5.HCM.com BD.HN.com HK.HN.com
domain2.com tree.
Child
Domain
❖The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
child domains.
P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com

❖The domain1.com domain is also a tree but without child domains.

TREE DOMAIN TREE DOMAIN

❖The first domain in a tree is called the tree root domain.

31/70
/50 FOREST DOMAIN 32
 Active Directory Trusts
❖Small organizations often may have
only one domain, but larger
organizations will end up with
multiple domains.

4 Active Directory Trusts

❖To simplify administration and the user experience, you can set up
trusts between domains so that an authenticated user in one domain
can access resources in another domain without having to authenticate
with a separate set of credentials.
33 34/70
/50

Active Directory Trusts Active Directory Trusts

❖Trust Flow: ❖AD DS Trust Types:
➢Transitive trust: Domain 1 trusts Domain 2, and Domain 2 trusts ➢Parent-Child Trust: trust relationship automatically created and
Domain 3 => Domain 1 will also trust Domain 3. establishes a relationship between a parent domain and a child
domain.
➢Nontransitive trust: Domain 1 trusts Domain 2, and Domain 2 ➢They’re transitive and they can be created as two-way trusts.
trusts Domain 3; however, Domain 1 does not trust Domain 3.

➢One-way trust: establishes trust in one direction only. Domain 1 domain1.com

trusts Domain 2, but Domain 2 does not trust Domain 1.

Parent-Child Parent-Child
trust trust
➢Two-way trust: bidirectional trust relationship. If Domain 1 trusts
Domain 2, then Domain 2 also trusts Domain 1 a.domain1.com b.domain1.com

35/70
/50 36
 Active Directory Trusts Active Directory Trusts
❖AD DS Trust Types: ❖AD DS Trust Types:
➢Tree-Root Trust: trust relationship automatically created and ➢Shortcut trust: are used on Windows Server domains that reside in
establishes a relationship between the forest root domain and a new the same forest, where there is a need to optimize the authentication
tree. process. This may happen when a user on Domain A frequently
➢They can be transitive and created as two-way trusts. needs to authenticate to Domain B.
➢They can be transitive and created as one-way or two-way trusts.
Tree Root trust Tree Root trust
domain1.com domain1.com
domain2.com Shortcut trust domain2.com
Parent-Child Parent-Child Parent-Child
trust trust Parent-Child trust
trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com c.domain2.com

domain1.com FOREST 37 domain1.com FOREST 38

Active Directory Trusts Active Directory Trusts

❖AD DS Trust Types: ❖AD DS Trust Types:
➢Realm trust: allows to create a trust between a Windows Server ➢External trust: External trusts connect a Windows Server domain
domain and a non-Windows (Linux, Unix, or MacOS Server) Kerberos in one forest to another Windows Server domain (Windows NT 4.0
realm. and non-Windows Kerberos realms) in a different forest.
➢They can be transitive or nontransitive and created as one-way or ➢They’re nontransitive and created as one-way or two-way trusts.
two-way trusts.
Tree Root trust Tree Root trust
domain1.com Realm trust UNIX domain1.com
Shortcut trust domain2.com Kerberos domain2.com domain3.net
Shortcut trust
Parent-Child V5 Realm Parent-Child
trust trust

External trust
a.domain1.com b.domain1.com a.domain1.com b.domain1.com
c.domain2.com c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST 39 domain1.com FOREST domain3.net FOREST 40

 Active Directory Trusts
❖AD DS Trust Types:
➢Forest trust: Forest trusts create a trust relationship between two
Windows Server forests.
➢They’re transitive and can be established as one-way or two-way
trusts.

Tree Root trust Forest trust 5 Global Catalog

domain1.com
domain2.com domain3.net
Shortcut trust
Parent-Child
trust

External trust
a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST domain3.net FOREST 41 42

Global Catalog Global Catalog

❖A single forest can contain an unlimited number of domains. ❖Global Catalog (GC):
➢Each domain can contain an unlimited number of objects. ➢Allows users and applications to find objects in an Active Directory
domain tree, given one or more attributes of the target object.
o Need the optimal way to locate objects quickly within different
domains. ➢Holds a replica of every object in the directory (in naming context)
and a small number of their attributes.
o The attributes in the GC are those most frequently used in search
operations (such as a user's first and last names or login names)
and those required to locate a full replica of the object.

➢Stored on at least one domain controller in the forest.

➢The default is the first Domain Controller created in the Forest.
➢Can config in other Domain Controller to load balancing.
43/70
/50 44/70
/50
 Global Catalog Global Catalog
❖The GC allows users to quickly find ❖For user account objects, the global catalog stores a unique name
objects of interest without knowing what that users can use to log into their domain from any computer in the
domain holds them and without requiring forest.
a contiguous extended namespace in the
enterprise.
➢User Principle Name (UPN): username@domainname.
o Preferred to as User logon name
o Unique in the forest.

➢For example, when assigning permissions ➢Require when logging into a computer as a user account within
on a resource, the interface you use will another domain in the forest.
allow you to select users and groups o GC is contacted to verify the UPN and locate a domain controller
within other domains in the forest from a that can complete the authentication process.
list that is provided by the GC.
45 46/70
/50

Global Catalog Global Catalog

❖The GC is updated when objects are added or removed within any ❖In site environment, GC replication may congest the Internet bandwidth
domain in the forest. in locations that have a slower Internet connection.
➢These updates must be replicated to all other domain controllers that ➢Enable Universal Group Membership Caching (UGMC) on sites to
hold a copy of the GC. hold a copy of the global catalog to provide fast authentication.

o Domain controllers must contact a remote global catalog the first

time each user authenticates to the domain in order to verify their
universal group memberships.

o These universal group memberships are then cached on the

domain controller, and subsequent authentication requests use
the universal group membership information for the user stored
in the cache, eliminating the need to contact a remote global
catalog.
47/70
/50 48/70
/50
 Authentication Protocols
❖NT LAN Manager (NTLM):
➢Current version: 35.0 (4/29/2022)

➢Used for authentication between clients and servers.

o Authorization information:

6 Authentication Process
▪ Group memberships.
▪ Interactive logon information.
▪ Message integrity.

➢Replaced by Kerberos.

49 50/70
/50

Authentication Protocols Authentication Protocols

❖Kerberos Network Authentication Service (V5) protocol ❖Kerberos Network Authentication Service (V5) protocol
(Kerberos V5): (Kerberos V5):
➢Current version: Version 5, Release 1.20 (26 May 2022)
➢Replaces NTLM in AD.
➢Used for authentication between clients and servers in DC (default). ➢However, NTLM can be used when the Kerberos do not work.
o Authorization information: o One of the machines is not Kerberos-capable.
▪ Group memberships o The server is not joined to a domain.
▪ Interactive logon information o The Kerberos configuration is not set up correctly.
▪ Message integrity o The implementation chooses to directly use NLMP.

➢Support Single Sign-On

➢High security.

51/70
/50 52/70
/50
 Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket

5. The domain controller queries the

global catalog to identify the universal
groups to which the user belongs.
2. The credentials are
encrypted by the client 6. The KDC issues the client a 4. The domain controller
and sent to a domain ticket-granting ticket (TGT). creates a list of the
controller. domain-based groups to
which the user belongs.

3. The encrypted credentials are matched against

the encrypted credentials on the domain controller.

1. The user enters credentials at a workstation to perform an interactive logon.

53/70
/50 54/70
/50

Authentication Process KDC: Key Distribution Center

TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket
9. The TGS issues a service ticket (session ticket) for
the server where the resource resides to the client.
7. The client requests access
to a resource that resides on a The session ticket contains the SIDs for the users
specific server. group memberships.

8. The client uses the TGT

to gain access to the ticket-
granting service (TGS), on
the domain controller.
55/70
/50 56/70
/50
 Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket Authentication Process KDC: Key Distribution Center
TGT: Ticket-Granting Ticket

10. The client presents the session ticket to the server 11. The LSA compares the SIDs in the access token with the groups that are
where the resource resides. assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.

57/70
/50 58/70
/50

Multi-master model
❖Active Directory is the central repository in which all objects in an
enterprise and their respective attributes are stored.
➢It's a hierarchical, multi-master enabled database that can store
millions of objects.
➢Changes to the database can be processed at any domain controller
Flexible Single Master Operations (DC) in the enterprise.
7 (FSMO) Role
➢Possibility of conflicts that can potentially
lead to problems once the data is replicated
to the rest of the enterprise.

59 60/70
/50
 FSMO Role Single-master model
❖Need a conflict resolution algorithm. ❖To prevent conflicting updates, the Active Directory performs updates to
➢Which changes were written last, which is the last writer wins. certain objects in a single-master fashion.
➢The changes in all other DCs are discarded. ➢Only one DC in the entire directory is allowed to process updates.

❖Active Directory includes multiple roles, and the ability to transfer roles
➢However, there are times when conflicts are too difficult to resolve
to any DC in the enterprise.
using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact. ❖Five (Flexible Single Master Operations) FSMO roles:

❖For certain types of changes, Windows

incorporates methods to prevent
conflicting Active Directory updates
from occurring.
61/70
/50 62/70
/50

FSMO Roles FSMO Roles

❖Schema master ❖Schema master
➢Manages the read-write copy of your Active Directory schema. ➢Only one DC can process updates to the AD schema.
o The AD Schema defines all the attributes – things like employee o Once the Schema update is complete, it's replicated from the
ID, phone number, email address, and login name – that you can schema master to all other DCs in the directory.
apply to an object in your AD database.
➢There's only one schema
master per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.

63/70
/50 64/70
/50
 FSMO Roles FSMO Roles
❖Domain naming ❖Relative Identifier (RID) master
➢Manages the forest-wide domain name space of the directory. ➢Allocating Relative Identifier (RID) pools to DCs in its domain.
➢Only on DC which is Domain naming holder can add or remove o When a DC creates a security principal object (e.g., user or
domains and application partitions from the directory. group), it attaches a unique SID to the object, consists of:
▪ A domain SID that's the same
➢There's only one Domain for all SIDs created in a domain.
naming per forest.
▪ A RID that's unique for each
o Default: Primary DC (PDC) security principal SID created in
of the Forest Root Domain. a domain.

➢Moving objects from one domain to

another within a forest.
➢There is one RID Master in each domain in an Active Directory forest
65/70
/50 66/70
/50

FSMO Roles FSMO Roles

❖Primary Domain Controller (PDC) emulator ❖Infrastructure master
➢Controls authentication within a domain. ➢Updates an object's SID and Distinguished Name (DN) in a cross-
o Responds to authentication requests, domain object reference.
changes passwords, manages Group ➢When an object in one domain is referenced by another object in
Policy Objects, account lockout. another domain, it represents the reference by:

➢Synchronize time in an enterprise. o The Globally Unique Identifiers

(GUID).
➢Backward compatibility. o The SID (for references to security
o Performs all of the functionality that a Windows NT 4.0 Server- principals).
based PDC or earlier PDC performs for Windows NT 4.0-based or o The DN of the object being
earlier clients. referenced.
➢There is one in each domain in an
➢There is one in each domain in an Active Directory forest Active Directory forest.
67/70
/50 68/70
/50
 FSMO Roles FSMO Roles
❖Infrastructure master ❖Infrastructure master

➢Review the Distinguished Name (DN): ➢Review the Distinguished Name (DN):
o Unique in the Forest. ▪ An RDN is an attribute with an
associated value in the form
o Includes enough information to locate a replica of the partition attribute=value.
that holds the object.

▪ Is a sequence of relative distinguished names (RDN)

connected by commas.
▪ Ex:
- CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
- CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM
69/70
/50 70/70
/50

THANK YOU FOR YOUR ATTENTION

Nguyen Viet Ha, Ph.D.

Department of Telecommunications and Networks
Faculty of Electronics and Communications
The University of Science, Vietnam National University, Ho Chi Minh City
Email: [email protected]