New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Windows Network Concepts and Active Directory Domain Services
1. Ambo University
Woliso Campus
Department of Information Technology
Network and System Administration
Chapter two
Windows network concepts
1
By Husen Adem at Ambo University Woliso Campus department of Information Technology
2. The topics discussed in this section include
Domain Name Server
Workgroups
Active directory and LDAP
Domain controllers
2
By Husen Adem
3. How computers communicate ?3
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
By Husen Adem
4. TCP/IP was designed to be used by a trusted group of users
4
3 way handshake
SYN = ISNC
SYN = ISNS, ACK(ISNC)
ACK(ISNS)
data transfer
client server
ISN – Initial Sequence Number
How computers communicate ?
By Husen Adem
6. How human communicate with computers?
6
192.168.1.1
192.168.1.2
192.168.1.3
192.168.1.4
192.168.1.5
192.168.1.7
G
Google.com
209.165.200.225
Mr. G opens browser and type http://www.google.com
1.How this possible ?
2.How computer understand http://www.google.com
By Husen Adem
7. Purpose of naming
Addresses are used to locate objects
Names are easier to remember than numbers
We would like to get to the address or other objects using a name
DNS provides a mapping from names to resources of several types
7
By Husen Adem
8. DNS
DNS is a network service that enables clients to resolve names to IP address and
vice-versa.
Allows machines to be logically grouped by domain names.
Comprised of three components
A “name space”
Servers making that name space available
Resolvers (clients) which query the servers about the name space
8
By Husen Adem
9. DNS Features
Global Distribution:
Data is maintained locally, but retrievable globally
No single computer has all DNS data
DNS lookups can be performed by any device
Remote DNS data is locally catchable to improve performance
9
By Husen Adem
10. DNS Features
Loose Coherency:
The database is always internally consistent
Each version of a subset of the database (a zone) has a serial number
The serial number is incremented on each database change
Changes to the master copy of the database are replicated according to timing
set by the zone administrator
Cached data expires according to timeout set by zone administrator
10
By Husen Adem
11. DNS Features
Scalability:
No limit to the size of the database
One server has over 20,000,000 names
No limit to the number of queries
24,000 queries per second handled easily
Queries distributed among masters, slaves, and caches
11
By Husen Adem
12. DNS Features
Reliability:
Data is replicated
Data from master is copied to multiple slaves
Clients can query
Master server
Any of the copies at slave servers
Clients will typically query local caches
DNS use port 53
UDP for the queries and responses
TCP for the zone transfer
12
By Husen Adem
13. DNS Features
Dynamicity:
Database can be updated dynamically
Add/delete/modify of any record
Modification of the master database triggers replication
Only master can be dynamically updated
Creates a single point of failure
13
By Husen Adem
14. DNS Operation
A DNS is a distributed database of name and IP address.
The database is made up of Zone file.
When a host computer requests for a file “name resolution” the DNS server
consults it’s zone file for IP address
If DNS has the file in its database reply the ip address
If DNS does not has record for that request it consult to upper domain server
or root server
After getting the resolution/file from the root server will return the result to
the client
Then the client will get response back and get access
14
By Husen Adem
15. Concept: DNS Names 1
The namespace needs to be made hierarchical to be able to scale.
The idea is to name objects based on
location (within country, set of organizations, set of companies, etc)
unit within that location (company within set of company, etc)
object within unit (name of person in company)
15
By Husen Adem
16. Concept: DNS Names 2
How names appear in the DNS
Fully Qualified Domain Name (FQDN) this show the hole domain levels
WWW.RIPE.NET.
labels separated by dots
DNS provides a mapping from FQDNs to resources of several types
Names are used as a key when fetching data in the DNS
16
By Husen Adem
17. Concept: Resource Records
17
The DNS maps names into data using Resource Records.
www.ripe.net. … A 10.10.10.2
Address Resource
Resource Record
By Husen Adem
18. Concept: DNS Names 3
Domain names can be mapped to a
tree.
New branches at the ‘dots’
No restriction to the amount of
branches.
net com
ripe
www www
edu
isi tislabs
•
disi
ws1 ws2
• •
•
•
•
•
ftp
sun
google
moon
18
By Husen Adem
19. Concept: Domains
Domains are “namespaces”
Everything below .com is in the com domain.
Everything below ripe.net is in the ripe.net domain and in the net domain.
net domain
com domain
ripe.net domain
net com
ripe
www
www
edu
isi tislabs
•
disi
ws1ws2
•
• •
•
•
•
ftp
sun
moon
google
19
By Husen Adem
20. Delegation
Administrators can create subdomains to group hosts
According to geography, organizational affiliation or any other criterion
An administrator of a domain can delegate responsibility for managing a
subdomain to someone else
The parent domain retains links to the delegated subdomain
The parent domain “remembers” who it delegated the subdomain to
20
By Husen Adem
21. net domain
Concept: Zones and Delegations
Zones are “administrative spaces”
Zone administrators are responsible for portion of a domain’s name
space
Authority is delegated from a parent and to a child
ripe.net zone
net zone
disi.ripe.net zone
net com
ripe
www
www
edu
isi tislabs
•
disi
ws1ws2
•
• •
•
•
•
ftp
sun
moon
google
21
By Husen Adem
22. Concept: Name Servers
Name servers answer ‘DNS’ questions.
There are several types of name servers
Authoritative servers
master (primary)
slave (secondary)
(Caching) recursive servers
also caching forwarders
Mixture of functionality
22
By Husen Adem
23. Concept: Authoritative name server
The last server in DNS and stores the website’s IP address
Give authoritative answers for one or more zones.
The master server normally loads the data from a zone file
A slave server normally replicates the data from the master via a zone
transfer
master
slave
slave
23
By Husen Adem
24. Concept: Recursive server(Caching)
Recursive servers do the actual lookups; they ask questions to the
DNS on behalf of the clients.
Answers are obtained from authoritative servers but the answers
forwarded to the clients are marked as not authoritative
Answers are stored for future reference in the cache
24
By Husen Adem
25. Concept: Resolvers
Resolvers ask the questions to the DNS system on behalf of the application.
Client part of DNS
Makes requests to DNS server
Normally implemented in a system library (e.g, libc)
gethostbyname(char *name);
gethostbyaddr(char *addr, int len, type);
25
By Husen Adem
26. Concept: Resolving process & Cache
Resolver
Question: www.ripe.net A
www.ripe.net A ?
Caching
forwarder
(recursive)
root-serverwww.ripe.net A ?
Ask net server @ X.gtld-servers.net (+ glue)
gtld-server
www.ripe.net A ?
Ask ripe server @ ns.ripe.net (+ glue)
ripe-server
www.ripe.net A ?
192.168.5.10
192.168.5.10
Add to cache
26
By Husen Adem
27. Resource records consist of it’s name, it’s TTL, it’s class, it’s type and it’s
RDATA
TTL is a timing parameter
IN class is widest used
There are multiple types of RR records
Everything behind the type identifier is called rdata
Concept: Resource Records detail
Label ttl
class
type
rdata
www.ripe.net. 3600 IN A 10.10.10.2
27
By Husen Adem
28. Resource Records
Resource Record Types
SOA Start Of Authority
NS Name Server
A IPv4 name-to-address translation
AAAA IPv6 name-to-address translation
PTR Address-to-name translation
MX Mail eXchanger
CNAME Canonical NAME
TXT Text
…
28
By Husen Adem
29. What is Workgroup ?
Workgroup is Microsoft's term for peer-to-peer local area network.
Computers running Microsoft operating systems in the same workgroup may
share files, printers, or Internet connection.
logical groups of network devices
each device is a standalone system, everyone is a peer
They are on a single subnet.
29
By Husen Adem
30. Active directory domain service
Why Deploy AD DS?
AD DS is a server services and foundation of windows network.
A network directory service stores information about a computer network and
offers for retrieving and managing that information.
It’s an administrative tool, but users make use of directory services to find
resources.
Directory services provide a centralized management tool, but due to complexity,
requires careful planning prier to setup.
30
By Husen Adem
31. Active directory structure
AD DS is composed of both logical and physical components
31
Logical components Physical components
• Partitions
• Schema
• Domains
• Domain trees
• Forests
• Sites
• OUs
• Containers
• Domain controllers
• Data stores
• Global catalog servers
• RODCs
By Husen Adem
32. Active directory physical structure
An active directory site is simply a physical location in which domain controllers
communicate and replicate information regularly
Each domain controller contains a full replica of the objects that make up the
domain and is responsible for
Storing a copy of the domain data and replicating changes to that data to all other
domain controllers in the domain
Providing data search and retrieval functions for users attempting to locate
objects in the directory.
Providing authentication and authorization services for users who log on to the
domain and attempt to access network resources
32
By Husen Adem
33. What Are AD DS Domains?
An AD DS domain is a logical container used to manage user, computer, group,
and other objects.
All domain controllers hold a copy of the domain database, which is continually
synchronized
The domain is an administrative center for configuring and managing objects
Any domain controller can authenticate any sign-in anywhere in the domain
AD DS requires one or more domain controllers
The domain provides authorization
An administrative boundary for applying
policies to groups of objects
33
AD DS
Computers
Users
Groups
By Husen Adem
34. What Is a Domain Controller?
Domain controllers is:-
Servers that host the AD DS database (Ntds.dit) and SYSVOL
A server with the AD DS server role installed that has specifically been promoted
to a domain controller
Provide authentication and authorization services
Replicate updates to other domain controllers in the domain and forest
Allow administrative access to manage user accounts and network resources
Kerberos authentication service and key distribution center (KDC) services
perform authentication
34
By Husen Adem
35. What Are OUs?
35
• Containers that can be used to
group objects within a domain
• There are two reason to Create OUs:
• Configure objects by assigning GPOs
• Delegate administrative permissions
OUs are represented by a
folder with a book on it
Containers are represented
by a blank folder
The primary difference between OUs and
containers are the management capabilities.By Husen Adem
36. What are Trees ?
A domain tree is a collection of one or more domains that share a contiguous
name space.
All domains in the tree:
Share a contiguous namespace with the parent domain
Can have additional child domains
By default create a two-way transitive trust with other domains
36
contoso.com
na.contoso.comemea.contoso.com
By Husen Adem
37. What Is AD DS Forest?
37
Tree root
domain
fabrikam.com
atl.adatum.com
Child domain
adatum.com
Forest root
domain
• Forest is a collection of one or more
active directory trees that that share a
common directory schema and
global catalog.
• All domains in all trees can
communicate and share information
• Can consists of a single trees, each
with a hierarchy of parent and child
domains
The forest root domain contains a few objects
that do not exist in other domains in the forest.
By Husen Adem
38. What Is the AD DS Schema?
38
The AD DS schema is the component that defines all object classes and attributes
that AD DS uses to store data.
It’s the blueprint for AD DS.
The schema is replicated among all domain controllers in the forest.
An object is a grouping of information that describes a network resource
AD DS uses objects as units of storage.
Schema classes defines the type of objects that can be stored in active directory
Schema attributes defines what type of information is stored in each object
The information stored in each attribute is called the attribute valeBy Husen Adem
40. What Is the Global Catalog?
40 • The global catalog is a partial, read-only, searchable copy of all the
objects in the forest.
• Contains a copy of all AD DS objects in a forest that includes only
some of the attributes for each object in the forest
• Improves efficiency of object searches by avoiding unnecessary
referrals to domain controllers
• Required for users to log on to a domain
AD DS
Global catalog server
Schema
Configuration
Domain A
Domain B
Domain B
Configuration
Schema
Domain B
Configuration
Schema
Domain A
Configuration
Schema
By Husen Adem
41. The AD DS Sign-in Process
41
Domain
controller
ServerWorkstation
The AD DS sign-in process:
1. The user account is authenticated to the domain
controller.
2. The domain controller returns a TGT back to client.
3. The client uses TGT to apply for access to the
workstation.
4. The domain controller grants access to the
workstation.
5. The client uses TGT to apply for access to the
server.
6. The domain controller returns access to the server.
When users sign in to AD DS, their system looks in DNS for service resource
(SRV) records to locate the nearest suitable domain controller.
By Husen Adem
42. What is the AD DS Data Store?
The AD DS data store contains the database files and processes that store and
manage directory information for users, services, and applications
Consists of the Ntds.dit file
The Ntds.dit file on a particular domain controller contains all naming contexts
hosted by that domain controller, including the Configuration and Schema naming
contexts.
Is stored by default in the %SystemRoot%NTDS folder on all domain controllers
Is accessible only through the domain controller processes and protocols
42
By Husen Adem
43. What is AD DS Replication?
AD DS replication copies all updates of the AD DS database to all other domain
controllers in a domain or forest.
AD DS replication:
Ensures that all domain controllers have the same information
Uses a multimaster replication model
Can be managed by creating AD DS sites
The AD DS replication topology is created automatically as new domain
controllers are added to the domain
Advantages of multi-master replication include:
The elimination of single point of failure
Faster replication as each domain controller can be involved with replicating data
43
By Husen Adem
44. What are Sites?
An AD DS site is used to represent a network segment where all domain
controllers are connected by a fast and reliable network connection.
For purposes of replication, AD DS logically organizes groups of servers into
sites, by default one site is created in AD DS.
Sites are:
Associated with IP subnets
Used to manage replication traffic
Used to manage client logon traffic
Used by site aware applications such as Distributed File Systems (DFS) or
Exchange Server
Used to assign group policy objects to all users and computers in a company
location
44
By Husen Adem
45. LDAP(Lightweight Directory Access Protocol)
It’s an application protocol used over an ip network to manage and access the
distributed directory information service.
The primary purpose to store and retrieve data from a hierarchical directory
structure.
45
• LDAP is a flexible solution for
defining any type of entity and
its qualities.
By Husen Adem
46. cont..
46
It’s similar to a telephone
directory that contains a list
of subscribers with their
contact number and address
By Husen Adem
47. Cont..
A client needs to connect to the server known as the Directory system Agent,
which is set by default to use TCP port 389.
After the connection is established, the client and the server exchange packets of
data. Basic encoding rules are used to transfer information between the server and
the client.
47
By Husen Adem
48. Structure of LDAP
48
The structure of LDAP is seems
relatively complex, it’s is fairly simple
to understand.
By Husen Adem
49. Cont..49
The server is capable of holding a
sub-tree and its’s children, beginning
from a particular entry.
By Husen Adem
50. Operations on LDAP
There are a plethora of operations that can be performed on the lightweight Directory
Access protocol.
Add – this is used to insert a new entry into the server directory-to-server
database.
If the name entered by a user already exists, the server fails to add a duplicate
entry and inserted shows an “” entry AlreadyExists” message.
Bind – on connection with the LDAP server, the default authentication state of the
session is anonymous.
There are basically two types of LDAP authentication methods- the simple
authentication method and the SASL Simple Authentication and Security Layer.
50
By Husen Adem
51. Cont..
Delete – As the name suggests, this operation is used to delete an entry from the
directory.
Modify – this operation is used by LDAP clients to make a request for making
changes to the already existing database.
The change to be made must be one of the following operations
Add(including a new vale).
Delete(deleting an already existing value)
Replace (overwriting an existing value with a new one).
Unbind – this is the inverse of the bind operation. Unbind aborts any existing
operations and terminates the connection, leaving no response in the end.
51
By Husen Adem
52. What is x.500 ?
X.500 Directory Service is a standard way to develop an electronic directory of
people in an organization
Can be part of a global directory available to anyone in the world with Internet
access.
It’s purpose is to centralize an organization's contacts so that anyone within (and
sometimes without) the organization who has Internet access can look up other
people in the same organization by name or department.
Several large institutions and multinational corporations have implemented
X.500.
52
By Husen Adem
53. x.500 Distinguished Names
Attribute=vale pairs
Most specific attribute is listed first
This may be similar to the way you already think CN=WIDGETWEB,
OU=Marketing, O=Widget, L=London, ST=London, C=GB, DC=widget,
DC=com
53
Attribute Field Usage
CN Common name Identifies the person or object
OU Organizational unit A unit or department within the organization
O Organization The name of the organization
L Locality Usually a city or area
ST State A state , province, or country within a country
C country The country's 2-character ISO code (such as C=US
or C=GB)
DC Domain component Components of objects domainBy Husen Adem
54. x.500 directory information tree
Hierarchical structure
Builds a tree
Container objects
Country, organization, organizational units
Leaf objects
Users, computers, printers, files
54
By Husen Adem