VNUHCM – UNIVERSITY OF SCIENCE

FACULTY OF ELECTRONICS – TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS – NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter
ACTIVE DIRECTORY
01
Editor: Nguyen Viet Ha, Ph.D.

September 19, 2023

Lecturer: Nguyen Viet Ha, Ph.D. Email: [email protected]

1 Windows Domain

2
 Workgroup

❖A peer-to-peer group of computers that share resources.

➢Decentralized in every way.

o May have a central server using to consume various services.

o Or share data from individual workstations.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 3/74
/50
 Workgroup

❖As small as two computers, or it can scale up to be quite large.

➢Small pool of systems ideally 15 or less. 200 systems.

❖Self-authentication and self-authorization

for access to resources.

Overload Weak
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 4/74
/50
 Workgroup

❖Authentication
➢When connecting to a shared resource on a computer, you are first
prompted to supply a valid username and password on that
computer that has permissions to access the resource.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 5/74
/50
 Workgroup

❖Authorization
➢Checks the permissions of the authenticated user and controls
access to functions based on the roles that are assigned to the user.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 6/74
/50
 Workgroup

❖The authentication process for the user log-in

is at the local computer.

❖Windows stores user accounts and security descriptors in a database

file called Security Account Manager (SAM).
➢It authenticates local user logons.
➢The SAM database resides in the Windows registry.
(C:\WINDOWS\system32\config)
➢Available on Windows XP, Vista, 7, 8.1, 10, and 11.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 7/74
/50
 Workgroup

❖SAM objects include the following:

➢SAM_ALIAS: A local group

➢SAM_GROUP: A group that is not a local group (e.g., domain group)

➢SAM_USER: A user account

➢SAM_DOMAIN: A domain

➢SAM_SERVER: A computer account

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 8/74
/50
 Workgroup

❖Advantages:
➢Very simple to manage.

➢Simply configure a resource for sharing and define who

you want to share that resource with because
everything is set locally.

➢Inexpensive option because you don’t need multiple

servers to support a workgroup.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 9/74
/50
 Workgroup

❖Disadvantages:
➢Low security.
o Passwords may not be changed very often.
▪ If they are changed, a user may update his password on a few
systems but not on all of them, and then end up out of sync.

➢Less scalability.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 10/74
/50
 Domain

❖A logical grouping of computers that authenticate

to a central database of users stored on special
servers called domain controllers.

➢When users log into a computer that is joined

to a domain, their usernames and passwords
are authenticated on the nearest domain
controller.

❖Might have multiple controllers in a domain.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 11/74
/50
 Domain

❖Once authenticated, the user receives a token that follows them

around the network and automatically proves their identity to other
domain-joined servers and clients.
➢Allow to access resources that specifically grant them access.

❖Only need to authenticate once to a

domain controller to prove their identity
to all domain members, this feature is
called single sign-on.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 12/74
/50
 Domain

❖The software components that provide for authentication functionality

are called Active Directory.
➢Contains many other services and components to centrally manage
and secure the computers that are joined to the domain.
o Group Policy can also be used to configure operating system
settings, security, and software for different computers and users
in the domain.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 13/74
/50
 Domain

❖Advantage ❖Disadvantage
➢Centralization ➢Complex
➢Manageability ➢High level of administration
➢Scalability ➢High-performance devices (server,
➢Tight Security router, switch)

➢Single-Sign-On ➢Expensive

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 14/74
/50
2 Active Directory

15
 Active Directory

❖A directory service that stores user/computer accounts, applications,

printers, shared folders, group policies, and all kinds of records.
➢The main Active Directory service is Active Directory Domain
Services (AD DS).
o Provide centralized authentication and support single sign-on to
computers on the network that are joined to an Active Directory
domain.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 16/74
/50
 Active Directory

❖AD DS consists NTDS.DIT (New Technology Directory Service.

Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit)
➢A database that stores all Active Directory data, including
information about user objects, groups and group membership as
well as password hashes for domain users.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 17/74
/50
 Active Directory

❖Logically separated into the following partitions:

➢Schema Partition: contains the definition of objects and rules for
their manipulation and creation in an active directory.
➢Configuration Partition: contains the forest-wide active directory
topology including DCs, sites and service.
➢Domain Partition: contain information about users, groups,
computers and OUs.
➢Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 18/74
/50
❖Each domain controller (DC) has
a centralized copy of the Active
Directory database.

19
 Active Directory

❖After the domain controller validates your user name and password, it
issues your computer an encrypted token that lists:
➢Domain user account.
➢Domain group accounts of which you are a member.

➢Tokens can only be decrypted by computers that participate in the

same Active Directory domain.
➢Destroyed when you log out of your system.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 20/74
/50
 Active Directory

❖When you access a shared resource on another computer in domain,

your token is automatically sent with the request to the target computer
to verify your identity.

➢You are then granted or denied access to the resource according to

the permissions assigned to your domain user and group accounts
listed within the resource’s ACL (Access Control List).

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 21/74
/50
 Active Directory

❖AD DS is composed of both logical and physical components

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 22/74
/50
3 Active Directory Structure

23
 Active Directory Objects

❖An object is the most basic component

in the logical structure of AD defined
within the Active Directory database.

❖The Active Directory schema stores a

list of all available object types (called
classes, e.g., user) and their associated
properties (called attributes).
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 24/74
/50
 Active Directory Objects

❖Leaf objects: represent a user account, group account, computer

account, network resources published to the Active Directory database
e.g., (shared printers).

❖Container objects: used to group leaf objects for ease of

administration and the application of Group Policy. There are three main
container:
➢Domains
➢Organizational units (OUs)
➢Sites
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 25/74
/50
 Active Directory Objects

❖Domain (or Active Directory domain): used to group and manage

objects.
➢Creates a management boundary.
➢Given a unique DNS domain name, such as domain1.com.
➢Each domain object often represents a separate business unit within
your organization and can contain OUs as well as leaf objects.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 26/74
/50
 Active Directory Objects

❖Organizational Unit (OU): contains leaf objects or other OUs (called

child OUs).

❖The OU structure you create

for each domain should
reflect the structure
within that particular
business unit.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 27/74
/50
 Active Directory Objects

❖Site: represent physical locations within your organization.

➢Each physical location contains a LAN that communicates with other
physical locations over an WAN/Internet connection.
➢By representing each physical location with a site object, you can
create settings that control the replication of Active Directory
information across the Internet.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 28/74
/50
 Active Directory Forests and Trees

❖Domains are often used to represent a single business unit within an

organization. => suitable for smaller organizations.

❖Larger organizations often have multiple business units, and each

business unit may need to access resources within other business units.

❖Active Directory forests are used to provide for multiple domains within
the same organization.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 29/74
/50
 Active Directory Forests and Trees

❖Forest: a collection of Active Directory domains that share a schema

and some security principals.
➢The vast majority of organizations in the world have a single forest
domain.
➢Multiple domain forests are generally used by larger geographically
dispersed organizations.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 30/74
/50
 Active Directory Forests and Trees

❖When install the first domain controller within the first domain in an
organization, a forest is created with the same name as this first
domain.

❖The first domain in a forest is called the forest root domain.

domain1.com domain2.com
(forest root domain)

hcm.domain2.com hn.domain2.com

domain1.com FOREST
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 31/74
/50
 Active Directory Forests and Trees
❖Trees: a collection of one or more domains that share a common
namespace.
➢Ex: domain2.com, hcm.domain2.com, and hn.domain2.com
domains share the same core domain name, we refer to them as the
domain2.com tree.

❖The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
child domains.

❖The domain1.com domain is also a tree but without child domains.

❖The first domain in a tree is called the tree root domain.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 32/74
/50
 Forest Tree
Root Root
HCM.com HN.com
Domain Domain
Tree
Root
Domain
Q1.HCM.com Q5.HCM.com BD.HN.com HK.HN.com

Child
Domain

P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com

TREE DOMAIN TREE DOMAIN

FOREST DOMAIN 33
4 Active Directory Trusts

34
 Active Directory Trusts
❖Small organizations often may have
only one domain, but larger
organizations will end up with
multiple domains.

❖To simplify administration and the user experience, you can set up
trusts between domains so that an authenticated user in one domain
can access resources in another domain without having to authenticate
with a separate set of credentials.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 35/74
/50
 Active Directory Trusts
❖Trust Flow:
➢Transitive trust: Domain 1 trusts Domain 2, and Domain 2 trusts
Domain 3 => Domain 1 will also trust Domain 3.

➢Nontransitive trust: Domain 1 trusts Domain 2, and Domain 2

trusts Domain 3; however, Domain 1 does not trust Domain 3.

➢One-way trust: establishes trust in one direction only. Domain 1

trusts Domain 2, but Domain 2 does not trust Domain 1.

➢Two-way trust: bidirectional trust relationship. If Domain 1 trusts

Domain 2, then Domain 2 also trusts Domain 1

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 36/74
/50
 Active Directory Trusts
❖AD DS Trust Types:
➢Parent-Child Trust: trust relationship automatically created and
establishes a relationship between a parent domain and a child
domain.
➢They’re transitive and they can be created as two-way trusts.

domain1.com

Parent-Child Parent-Child
trust trust

a.domain1.com b.domain1.com

37
 Active Directory Trusts
❖AD DS Trust Types:
➢Tree-Root Trust: trust relationship automatically created and
establishes a relationship between the forest root domain and a new
tree.
➢They can be transitive and created as two-way trusts.

Tree Root trust

domain1.com
domain2.com
Parent-Child Parent-Child
trust trust Parent-Child
trust

a.domain1.com b.domain1.com
c.domain2.com

domain1.com FOREST 38
 Active Directory Trusts
❖AD DS Trust Types:
➢Shortcut trust: are used on Windows Server domains that reside in
the same forest, where there is a need to optimize the authentication
process (e.g., a user on Domain 1 frequently needs to authenticate
to Domain 2).
➢They can be transitive and created as one-way or two-way trusts.
Tree Root trust
domain1.com
Shortcut trust domain2.com
Parent-Child
trust

a.domain1.com b.domain1.com
c.domain2.com

domain1.com FOREST 39
 Active Directory Trusts
❖AD DS Trust Types:
➢Realm trust: allows to create a trust between a Windows Server
domain and a non-Windows (Linux, Unix, or MacOS Server) Kerberos
realm.
➢They can be transitive or nontransitive and created as one-way or
two-way trusts.
Tree Root trust
domain1.com Realm trust UNIX
Shortcut trust domain2.com Kerberos
Parent-Child V5 Realm
trust

a.domain1.com b.domain1.com
c.domain2.com

domain1.com FOREST 40
 Active Directory Trusts
❖AD DS Trust Types:
➢External trust: External trusts connect a Windows Server domain
in one forest to another Windows Server domain (Windows NT 4.0
and non-Windows Kerberos realms) in a different forest.
➢They’re nontransitive and created as one-way or two-way trusts.

Tree Root trust

domain1.com
domain2.com domain3.net
Shortcut trust
Parent-Child
trust

External trust
a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST domain3.net FOREST 41

 Active Directory Trusts
❖AD DS Trust Types:
➢Forest trust: Forest trusts create a trust relationship between two
Windows Server forests.
➢They’re transitive and can be established as one-way or two-way
trusts.

Tree Root trust Forest trust

domain1.com
domain2.com domain3.net
Shortcut trust
Parent-Child
trust

External trust
a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST domain3.net FOREST 42

5 Global Catalog

43
 Global Catalog
❖A single forest can contain an unlimited number of domains.
➢Each domain can contain an unlimited number of objects.

o Need the optimal way to locate objects quickly within different

domains.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 44/74
/50
 Global Catalog
❖Global Catalog (GC):
➢Allows users and applications to find objects in an Active Directory
domain tree, given one or more attributes of the target object.

➢Holds a replica of every object in the directory (in naming context)

and a small number of their attributes:
o Most frequently used in search operations.
▪ (i.e., a user's first and last names or login names)
o Required to locate a full replica of the object.

➢Stored on at least one domain controller in the forest.

➢The default is the first Domain Controller created in the Forest.
➢Can config in other Domain Controller to load balancing.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 45/74
/50
 Global Catalog
❖The GC allows users to quickly find objects
➢without knowing what domain holds them
➢without requiring a contiguous extended
namespace in the enterprise.

➢For example, when assigning permissions

on a resource, the interface you use will
allow you to select users and groups
within other domains in the forest from a
list that is provided by the GC.
46
 Global Catalog
❖For user account objects, the global catalog stores a unique name
that users can use to log into their domain from any computer in the
forest.

➢User Principle Name (UPN): username@domainname.

o Preferred to as User logon name
o Unique in the forest.

❖Require when logging into a computer as a user account within another

domain in the forest.
➢GC is contacted to verify the UPN and locate a domain controller that
can complete the authentication process.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 47/74
/50
 Global Catalog
❖The GC is updated when objects are added or removed within any
domain in the forest.
➢These updates must be replicated to all other domain controllers that
hold a copy of the GC.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 48/74
/50
 Global Catalog
❖In site environment,
➢Smaller branch offices with low capacity servers, which cannot
handle additional load of hosting a GC

➢GC replication may congest the Internet bandwidth in locations that

have a slower Internet connection.

➢Solution: Deploy domain

controllers, which only store
universal group membership
information locally.
Congest

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 49/74
/50
 Global Catalog
❖In site environment,

➢Enable Universal Group Membership Caching (UGMC) on sites to

hold a copy of the global catalog to provide fast authentication.

o Domain controllers must contact a remote global catalog the first

time each user authenticates to the domain in order to verify their
universal group memberships and cached on the DC.

o The subsequent authentication requests use the universal group

membership information for the user stored in the cache.
→ Eliminating the need to contact a remote global catalog.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 50/74
/50
6 Authentication Process

51
 Authentication Protocols
❖NT LAN Manager (NTLM):
➢Current version: 35.0 (4/29/2022)

➢Used for authentication between clients and servers.

o Authorization information:
▪ Group memberships.
▪ Interactive logon information.
▪ Message integrity.

➢Replaced by Kerberos.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 52/74
/50
 Authentication Protocols
❖Kerberos Network Authentication Service (V5) protocol
(Kerberos V5):
➢Current version: Version 5, Release 1.20 (26 May 2022)

➢Used for authentication between clients and servers in DC (default).

o Authorization information:
▪ Group memberships
▪ Interactive logon information
▪ Message integrity

➢Support Single Sign-On

➢High security.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 53/74
/50
 Authentication Protocols
❖Kerberos Network Authentication Service (V5) protocol
(Kerberos V5):

➢Replaces NTLM in AD.

➢However, NTLM can be used when the Kerberos do not work.

o One of the machines is not Kerberos-capable.
o The server is not joined to a domain.
o The Kerberos configuration is not set up correctly.
o The implementation chooses to directly use NLMP (NT LAN
Manager (NTLM) Authentication Protocol.).

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 54/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket
The Key Distribution Center (KDC), resides on each domain controller and stores the
encrypted user credentials

2. The credentials are

encrypted by the client
and sent to a domain
controller.

3. The encrypted credentials are matched against

the encrypted credentials on the domain controller.

1. The user enters credentials at a workstation to perform an interactive logon.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 55/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket

5. The domain controller queries the

global catalog to identify the universal
groups to which the user belongs.

6. The KDC issues the client a 4. The domain controller

ticket-granting ticket (TGT). creates a list of the
domain-based groups to
which the user belongs.

The TGT contains the encrypted security identifiers (SIDs) for

the groups of which the user is a member.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 56/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket

7. The client requests access

to a resource that resides on a
specific server.

8. The client uses the TGT

to gain access to the ticket-
granting service (TGS) on
the domain controller.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 57/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket
9. The TGS issues a service ticket (session ticket) for
the server where the resource resides to the client.

The session ticket contains the SIDs for the users

group memberships.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 58/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket

10. The client presents the session ticket to the server

where the resource resides.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 59/74
/50
 KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket

11. The LSA compares the SIDs in the access token with the groups that are
assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 60/74
/50
 Flexible Single Master Operations
7 (FSMO) Role

61
 Multi-master model
❖Active Directory is the central repository to store all objects in an
enterprise and their respective attributes.
➢It's a hierarchical, multi-master enabled database that can store
millions of objects.
➢Changes to the database can be processed at any domain controller
(DC) in the enterprise.

➢Possibility of conflicts that can potentially

lead to problems once the data is replicated
to the rest of the enterprise.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 62/74
/50
 FSMO Role
❖Need a conflict resolution algorithm.
➢Which changes were written last, which is the last writer wins.
➢The changes in all other DCs are discarded.

➢However, there are times when conflicts are too difficult to resolve
using the last writer wins approach.
➢In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact.

❖For certain types of changes, Windows

incorporates methods to prevent
conflicting Active Directory updates
from occurring.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 63/74
/50
 Single-master model
❖To prevent conflicting updates, the Active Directory performs updates to
certain objects in a single-master fashion.
➢Only one DC in the entire directory is allowed to process updates.

❖Active Directory includes multiple roles, and the ability to transfer roles
to any DC in the enterprise.

❖Five (Flexible Single Master Operations) FSMO roles:

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 64/74
/50
 FSMO Roles
❖Schema master
➢Manages the read-write copy of your Active Directory schema.
o The AD Schema defines all the attributes – things like employee
ID, phone number, email address, and login name – that you can
apply to an object in your AD database.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 65/74
/50
 FSMO Roles
❖Schema master
➢Only one DC can process updates to the AD schema.
o Once the Schema update is complete, it's replicated from the
schema master to all other DCs in the directory.

➢There's only one schema

master per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 66/74
/50
 FSMO Roles
❖Domain naming
➢Manages the forest-wide domain name space of the directory.
➢Only one DC can add or remove domains and application
directory partitions from the directory.

➢There's only one Domain

naming per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 67/74
/50
 FSMO Roles
❖Relative Identifier (RID) master
➢Allocating Relative Identifier (RID) pools to DCs in its domain.
o When a DC creates a security principal object (e.g., user or
group), it attaches a unique SID to the object, consists of:
▪ A domain SID that's the same
for all SIDs created in a domain.
▪ A RID that's unique for each
security principal SID created in
a domain.

➢Moving objects from one domain to

another within a forest.
➢There is one RID Master in each domain in an Active Directory forest
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 68/74
/50
 FSMO Roles
❖Primary Domain Controller (PDC) emulator
➢Controls authentication within a domain.
o Responds to authentication requests,
changes passwords, manages Group
Policy Objects, account lockout.

➢Synchronize time in an enterprise.

➢Backward compatibility.
o Performs all of the functionality that a Windows NT 4.0 Server-
based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.

➢There is one in each domain in an Active Directory forest

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 69/74
/50
 FSMO Roles
❖Infrastructure master
➢Updates an object's SID and Distinguished Name (DN) in a cross-
domain object reference.
➢When an object in one domain is referenced by another object in
another domain, it represents the reference by:
o The Globally Unique Identifiers
(GUID).
o The SID (for references to security
principals).
o The DN of the object being
referenced.
➢There is one in each domain in an
Active Directory forest.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 70/74
/50
 FSMO Roles
❖Infrastructure master

➢Review the Globally Unique Identifiers (GUID)

o 128-bit number to uniquely identify specific components,
hardware, software, files, user accounts, database entries and
other items.
o Unique not only in the enterprise but also across the world.

o Active Directory uses GUIDs internally to identify objects.

o GUID would not changed but SID could sometimes changed.

o The reason for using SIDs not GUIDs, is for backward

compatibility. Ex: Windows NT uses SIDs to identify users and
groups in ACLs on resources.
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 71/74
/50
 FSMO Roles
❖Infrastructure master

➢Review the Distinguished Name (DN):

o Unique in the Forest.

o Includes enough information to locate a replica of the partition

that holds the object.

▪ Is a sequence of relative distinguished names (RDN)

connected by commas.

Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 72/74
/50
 FSMO Roles
❖Infrastructure master

➢Review the Distinguished Name (DN):

▪ An RDN is an attribute with an
associated value in the form
attribute=value.

▪ Ex:
‐ CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM
‐ CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM
Nguyen Viet Ha, Ph.D. - Department of Telecommunications – Networks, FETEL, VNUHCM-US 73/74
/50
THANK YOU FOR YOUR ATTENTION

Nguyen Viet Ha, Ph.D.

Department of Telecommunications and Networks
Faculty of Electronics and Communications
University of Science, Vietnam National University, Ho Chi Minh City
Email: [email protected]