Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes.

Slides:



Advertisements
Similar presentations
Microsoft Active Directory
Advertisements

Active Directory: Beyond The Basics
Implementing and Administering AD DS Sites and Replication
Chapter 6 Introducing Active Directory
Chapter 4 Chapter 4: Planning the Active Directory and Security.
Introduction to Active Directory
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
CS603 Active Directory February 1, 2001.
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Administering Active Directory
3.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 3: Introducing Active Directory.
By Karan Oberoi.  A directory service (DS) is a software application- or a set of applications - that stores and organizes information about a computer.
Understanding Active Directory
Module 1: Introduction to Active Directory
Vikram Thakur Introduction to Active Directory Structure.
Active Directory Implementation Class 4
Chapter 4: Active Directory Design and Security Concepts
ADVANCED MICROSOFT ACTIVE DIRECTORY CONCEPTS
Overview of Active Directory Domain Services Lesson 1.
Overview of Active Directory Domain Services Lesson 1.
Nassau Community College
Directory services Unit objectives
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory, Enhanced Chapter 7: Active Directory Replication.
Module 7: Implementing Sites to Manage Active Directory Replication.
Active Directory Boundaries - Purpose Replication Boundaries Security Boundaries.
SERVER I SLIDE: 6. SERVER I Topics: Objective 4.3: Deploy and configure the DNS service Objective 5.1: Install domain controllers.
Active Directory Operations Masters. Overview  Active Directory updates generally multimaster Changes can be made on any DC  Some exceptions — single.
Maintaining Active Directory Domain Services
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Module 7 Active Directory and Account Management.
Session 7 Windows Platform Eng. Dina Alkhoudari. Learning Objectives Active Directory review Managing users and groups Single Master Operations Delegation.
Company Confidential 1 A Course on Global Catalog And Flexible Single Master Operations (Fsmo) Roles Prepared for: *Stars* New Horizons Certified Professional.
Operations Master / FSMO Roles in Active Directory : Suhail Ashfaq Butt.
 Identify Active Directory functions and Benefits.  Identify the major components that make up an Active Directory structure.  Identify how DNS relates.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Page 1 Active Directory and DNS Lecture 2 Hassan Shuja 09/14/2004.
Module 1: Implementing Active Directory ® Domain Services.
Windows Server 2003 站台設定與管理
Module 4: Configuring Active Directory Sites and Replication.
1 Chapter Overview Managing Object and Container Permissions Locating and Moving Active Directory Objects Delegating Control Troubleshooting Active Directory.
Chapter 4- Part3. 2 Implementing User Profiles A local user profile is automatically created at the local computer when you log on with an account for.
OVERVIEW OF ACTIVE DIRECTORY
Introduction to Active Directory
© Wiley Inc All Rights Reserved. MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition.
Module 1: Introduction to Active Directory
© Compiled by David Brewster Networking Diploma – Orange Group S Class Presentation: Operations Master Roles.
11 WORKING WITH ACTIVE DIRECTORY SITES Chapter 3.
Global Catalog and Flexible Single Master Operations (FSMO) Roles BAI516.
Unit 4 NT1330 Client-Server Networking II Date: 1/13/2016
Module 8: Planning for Windows Server 2008 Active Directory Services.
Module 4: Configuring Active Directory ® Domain Sevices Sites and Replication.
11 GLOBAL CATALOG AND FLEXIBLE SINGLE MASTER OPERATIONS (FSMO) ROLES Chapter 4.
Windows 2003 Architecture, Active Directory & DNS Lecture # 3 Hassan Shuja 02/14/2006.
MCSE: Windows Server 2003 Active Directory Planning, Implementation, and Maintenance Study Guide, Second Edition (70-294) Chapter 1: Overview of the Active.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Overview of Active Directory Domain Services Lesson 1.
Active Directories: Purpose and Structure Chrystom Ciganko IFMG352 Final Presentation.
Working with Active Directory Sites Lesson 3. Logical Versus Physical Structure Logical Forest Trees Domains OUs Leaf objects Physical IP Subnets/Sites.
Overview of Active Directory Domain Services
Active Directory Replication (Part 1) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
Implementing Active Directory Domain Services
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Overview of Active Directory Domain Services
Active Directory Fundamentals
Active Directory and Group Policy
Active Directory Replication (Part 2) Paige Verwolf Support Professional Microsoft Corporation © 1999 Microsoft Corporation. All rights reserved.
Global Catalog and Flexible Single Master Operations (FSMO) Roles
FSMO Roles and Global Catalog Servers
Microsoft Active Directory
Global Catalog and Flexible Single Master Operations (FSMO) Roles
Presentation transcript:

Active Directory and Group Policy Blackhat Amsterdam Raymond Forbes

Overview Active Directory Basics – Structure – Components – Objects – Roles – Schema – Sites – Interop

Overview Group Policy

Active Directory What is Active Directory? – LDAP Directory Service – Works with and requires DNS – Incorporated into Windows 2000 and XP – Centrally Managed – Extensible – Interoperable

Active Directory Building blocks of Active Directory – Objects Users Machines – Sites – Domains – Trees – Forests – Trusts Transitive Non-Transitive Cross Link

Active Directory Building blocks cont’d – Domain Controllers – Groups Global Groups Universal Groups Domain Local Groups

Active Directory Accounting Marketing Organizational Unit Blackhat.com

Active Directory Two way trust Transitive Trust Blackhat.com east west

Active Directory Defcon.orgBlackhat.com One way trust Cross link

Active Directory Sites – Collection of IP addresses – Information is stored by all domain controllers in the forest – Intra-site replication is instant – Inter-site replication can be scheduled – Used at logon to find closest Domain Controller – Bridgehead Server Maintains link between sites.

Active Directory Sites cont’d – Subnets Does not necessarily translate from actual subnets – Knowledge Consistency Checker Automatically defines the replication topology and bridgehead servers. These can be set manually

Active Directory FSMO Rules (Flexible Single-Master Operation) – Domain Naming Master Domain specific tasks (addition, removal of domains) – Infrastructure Master Maintains cross directory links – PDC Emulator Support for NT4 domains. First server that takes password changes – Relative ID (RID) Master Makes sure all SIDs are unique. All object moves happen through here. – Schema Master

Active Directory Global Catalog – Read Only – Partial database. Subset of information in the schema – Used for fast searching and logons All universal group information is stored in the Global Catalog.

Active Directory Schema – Holds what type of information can be stored in the Active Directory – Each object is an instance of a class – Attributes are defined for classes Optional or mandatory – Tree like structure – Classes are inherited

Active Directory Schema cont’d – Schema Classes Abstract Classes – Not actually used to make objects. – Used to provide structure to the schema Structural Classes – This is used to make directory objects Auxiliary Classes – Provides add on information that can be applied to other classes

Active Directory Schema Cont’d – Schema is cached in memory – Only one Schema for the entire forest – Cannot actually delete anything from the Schema after it has been extended. The only option you have is to deactivate any non used classes

Active Directory DNS – AD puts in a number of SRV records into your DNS. _ldap._tcp. 600 IN SRV server1 _ldap._tcp.pdc IN SRV server 1 _kerberos._tcp.dc._msdcs IN SRV server1

Active Directory Replication – Multi Mastered – Tracks meta-data – Different based on whether intra-site or inter-site Intra-site is simple, and not very configurable Inter-site can use RPC or SMTP – Not all data is replicated For instance, user last logon time – Replicates attributes, not entire objects

Active Directory Replication cont’d – Meta-Data Update Sequence Number (USN) – Defines latest update on a paticular Domain Controller Property Version Number – Version of attribute Attribute Timestamp IP address of Domain Controller – Server stores the USN of each DC seperately Each USN is stored by the server’s GUID

Active Directory Replication Cont’d – When a change is made on the Domain controller the USN is changed. The other DCs are notified. – The DC asks for all the changes post the USN it has recorded. – DC applies changes and stores new USN for that DC.

Active Directory Replication cont’d – Conflict Resolution A conflict is detected by the DC comparing the PVN on the local store with the one in the change. If a conflict is detected it is resolved with these values – Highest PVN – Timestamp – IP address

Active Directory Inter-site replication – By default, this is done by a schedule – Very configurable. Can define what servers replicate to what servers. – Can use RPC or SMTP SMTP doesn’t support file replication (e.g. logon scripts) – Compressed by up to 15% – You CAN turn on inter-site notification This has the effect of making inter-site communication just like intra-site.

Active Directory Password Replication – Password changes can happen on any DC – When a password is changed on a DC it pushes that change immediately to the PDC Emulator – Before a server actually rejects a bad password, it contacts the PDC Emulator and verifies it there – This makes sure that a password change does not deny access

Active Directory Other replication issues – Multiple Values Some attributes have multiple values (i.e. Groups) – This can be a problem as it could lead to two valid changes but both with the same PVN – Only the latest change will be kept. The previous ones will be dropped Inherited permissions – Inherited permissions are actually stored on each object – However, the DC only replicates the inheritable permission and let’s the receiving server actually do the work.

Active Directory Other Replication Issues cont’d – Tombstone When an object is deleted it isn’t removed at first This would cause the other DCs to not know the object should be deleted. Instead, when an object is deleted it has a “tombstone” placed on it. This object is moved to a hidden Deleted Objects container. This is hidden even from ADSI The tombstone is replicated to all controllers Garbage collection goes through and removes tombstoned objects that have expired

Active Directory Other Replication Issues cont’d – LostAndFound The LostAndFound container holds objects that tried to replicate but could not for some reason Suppose somebody adds a user to an OU on one server but then deletes the OU on another server

Active Directory Other Replication Issues cont’d – Urgent Replication Standard replication happens every 5 minutes intra-site and upon schedule for inter-site Certain circumstances demand immediate replication RID Master change – If another server has been given the role as RID Master LSA Secret Change Account lock-outs Urgent Replication doesn’t happen inter-site unless notification is turned on.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.