Presentation is loading. Please wait.

Presentation is loading. Please wait.

Client Interactions Ing. Ondřej Ševeček | GOPAS a.s. |

Published byMichelle Leduc Modified over 6 years ago

Similar presentations

Presentation on theme: "Client Interactions Ing. Ondřej Ševeček | GOPAS a.s. |"— Presentation transcript:

1 Client Interactions Ing. Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | | | Client Interactions

2 Active Directory Client Interactions
Intro

3 Central Database LDAP – Lightweight Directory Access Protocol Kerberos
database query language, similar to SQL TCP/UDP 389, SSL TCP 636 Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 D/COM Dynamic TCP – Replication Kerberos UDP/TCP 88 Windows NT 4.0 SAM SMB/CIFS TCP 445 (or NetBIOS) password resets, SAM queries SMB/DCOM Dynamic TCP NTLM pass-through Kerberos PAC validation

4 Design Considerations
Distributed system DCs disconnected for very long times several months Multimaster replication with some FSMO roles

5 Design Considerations
Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office. Challenge: Must work independently for long time periods. Different independent cruise- liners/DCs can accomodate changes to user accounts, addresses, Exchange settings. Cannot afford lost of any one.

6 Database Microsoft JET engine %WINDIR%\NTDS\NTDS.DIT
JET Blue common with Microsoft Exchange used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker %WINDIR%\NTDS\NTDS.DIT ESENTUTL Opened by LSASS.EXE

7 Installed services LSASS TCP 445 SMB + Named Pipes
Security Accounts Manager D/COM Dynamic TCP UDP, TCP 88 Kerberos Kerberos Key Distribution Center UDP, TCP 389, ... LDAP Active Directory Domain Services NTDS.DIT

8 Network Interactions (DC Location)
SRV: Any DC List Client 2000+ SRV: My Side DC DNS DNS LDAP UDP Get My Site Any DC 2000+ My Site DC 2000+

9 Network Interactions (2008/Vista+ DC Location)
SRV: Any DC List Client Vista+ SRV: My Site DC DNS SRV: Close Site DNS LDAP UDP Get My Site Next Closest Site Close Site DC 2000+ Any DC 2008+ My Site DC 2000+

10 Network Interactions (Join Domain)
Client 2000+ TGT: User Kerberos SMB TGT: CIFS SAM Interface DC 2000+

11 Network Interactions (Local Logon)
Client 2000+ TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC 2000+

12 Network Interactions (Kerberos Network Logon)
Client 2000+ App Traffic Server 2000+ In-band TGS: Server Kerberos SMB D/COM Occasional PAC Validation TGT: User TGS: Server D/COM Dynamic TCP DC 2000+ DC 2000+

13 Network Interactions (NTLM Network Logon)
Client 2000+ App Traffic Server 2000+ In-band NTLM SMB D/COM Pass-through NTLM D/COM Dynamic TCP DC 2000+ DC 2000+

14 Network Interactions (Basic/RDP Logon)
Client 2000+ App Traffic Server 2000+ In-band clear text Kerberos TGT: User DC 2000+ DC 2000+

15 Active Directory Replication
Attribute Notes

16 Attribute Types string, integer, datetime, boolean, binary
DN reference multivalue up to 5000 items linked multivalue unlimited, requires 2003 Forest Level backlink memberOf computed primaryGroupToken, tokenGroups, lastLogonTimestamp write/only attributes unicodePwd

17 Group membership Sales member CN=Kamil,OU=London,DC=... member
CN=Judith,OU=Paris,DC=... Link member CN=Victor,OU=London,DC=... member CN=Stan,OU=London,DC=... Judith Backlink memberOf CN=Sales,OU=Groups,DC=... memberOf CN=IS Access,OU=Groups,DC=...

18 (Not)replicated attributes
logonCount badPasswordCount badPasswordTime lastLogon lastLogoff Replicated pwdLastSet lockoutTime lastLogonTimestamp (since 2003)

19 Logon timestamps (2003 DFL)
lastLogon 9:00 DC lastLogonTimestamp 11:00 lastLogon 11:38 DC Client lastLogonTimestamp 11:00 lastLogon - DC lastLogonTimestamp 11:00

20 lastLogonTimestamp Requires 2003 domain level
Updated only once per 14-random(5) days DC=idtt,DC=local msDS-LogonTimeSyncInterval 1+ – minimum without randomization 5+ – randomization starts 14 – the default ...

21 Immediate Replication
Password changes Client Normal replication hash Password Change PDC Immediate Replication password hash DC Normal replication hash

22 Password changes PDC DC DC Client DC pwdLastSet pwdLastSet pwdLastSet

23 Authentication failures
pwd1 DC pwd1 PDC pwd1 DC Client

24 Authentication failures
pwd1 DC pwd2 PDC pwd2 pwd2 DC Client

25 Authentication failures
pwd1 pwd2 DC Client pwd2 PDC pwd2 DC

26 Authentication failures
badPasswordCount 7 PDC badPasswordCount 2 DC lockoutTime badPasswordCount 3 DC Client badPasswordCount 2 DC

27 Active Directory Client Interactions
DC Location

28 Client Applications Kerberos and NTLM authentication Secure Channel
password changes, NTLM pass-through, Kerberos PAC validation Group Policy client DFS client Certificate Autoenrollment client

29 Client Applications NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) group membership, Dial-In tab RD Host (Terminal Server) Remote Control tab etc., Licensing servers DHCP Server authorization IIS account and group membership for SSL certificate authentication WDS computer MAC addresses or GUIDs

30 Connection Properties
Bandwidth (Mbps) forget about this Latency (ms) round-trip-time (RTT) SMB, D/COM, SQL Packet Loss (per sec., per Mb) packet loss rate (PLR) VPN such as PPTP, SSTP, IP-HTTPS

31 Timeouts DNS ARP LDAP UDP Site Location TCP primary DNS = 1 sec.
secondary DNSs = 2 sec. ARP ms 1000 ms LDAP UDP Site Location 600 ms TCP SYN = 21 sec. (3x retransmission) PSH/ACK = 93 sec. (5x retransmission)

32 Basic DC location Know the DNS name of the domain
Query general DNS DC SRV records _ldap._tcp.dc._msdcs.idtt.local Ping DC Windows 2003- LDAP UDP (ping) DC to get the client’s site/close site

33 DNS Domain Location Makes use of DNS round robin Site unaware lookup
NSLOOKUP SET Q=SRV _ldap._tcp.dc._msdcs.idtt.local Site specific lookup _ldap._tcp.Paris._sites.dc._msdcs.idtt.local

34 Site Example – Single Site
London x.x DC1 DC2 DC3 DC5 DC4 Client

35 Site Example – Multihomed DC (DNS Bitmask Ordering)
Paris 10.20.x.x London x.x DC1 DC2 DC3 DC5 DC4 Client

36 Site Awareness Paris 10.20.x.x DC4 Roma 10.30.x.x DC6 London 10.10.x.x
Anonymous LDAP UDP where I am? Berlin x.x DC5 Client

37 General Operation Use DNS to find generic DC list Ping selected DC
Windows 2003- Anonymous LDAP (UDP) to determine site DC defines site from the request source IP address (NAT?) Use DNS to find close DC in site Ping or LDAP UDP to determine availability

38 DC Locator NetLogon Service nltest /sc_query:idtt
no network access nltest /sc_verify:idtt tries to authenticate with the DC nltest /sc_reset:idtt always performs new DNS lookup nltest /dsgetsite anonymous query against selected DC

39 DFS Client (MUP) Multiple UNC provider (MUP) driver
Determines its own DFS server referrals obtains the list of DFS root servers from AD using the default DC from Netlogon SYSVOL may be accessed from a different DC DFSUTIL /PKTINFO Windows Server 2003/Windows XP DFSUTIL CACHE REFERRAL Windows Server 2008/Windows Vista

40 Site Example – Empty Site
Paris x.x London x.x DC4 DC5 DC1 DC2 DC3 Berlin x.x DC4 DC5 Roma x.x DC6 Client Cyprus x.x DC7

41 Automatic Site Coverage
Each DC registers itself for its neighboring empty sites HKLM\System\CurrentControlSet\Services\N etlogon AutoSiteCoverage = DWORD = 1/0 GPO: Sites Covered by the DC Locator DNS SRV Records

42 Misplaced OR Confused Clients
Active Directory Troubleshooting Misplaced OR Confused Clients

43 Site Example – Out of Site
Paris x.x London x.x DC4 DC5 DC1 DC2 DC3 Client Berlin x.x Roma x.x DC6 Cyprus x.x DC7

44 Out-of-site clients

45 Out-of-site clients

46 Limiting generic DC list
Limit creation of generic DC DNS records GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records DC Locator DNS Records not Registered Ldap, Kdc

47 DC Stickiness When one close selected, client sticks to it
even when moved into a different site must reset secure channel Force rediscovery interval GPO Vista+ hotfix for Windows XP also registry value ForceRediscoveryInterval

48 Site Example – Moving Client
Paris x.x London x.x DC4 DC5 DC1 DC2 DC3 Berlin x.x DC4 DC5 Roma x.x DC6 Cyprus x.x Client DC7 previously in Paris

49 Active Directory Troubleshooting
Client Failover

50 Site Example – Failed DC
Paris x.x DC4 Roma x.x DC6 London x.x DC1 DC2 DC3 Cyprus x.x Berlin x.x DC7 DC5 Client

51 Non-close Site DC Close site
client’s site next closest site if enabled If there is not DC available in the close site, rediscovery every 15 minutes HKLM\System\CurrentControlSet\Services\Netlogon\Parameters CloseSiteTimeout = REG_DWORD = x seconds

52 Site Example – Close Site
Paris x.x London x.x DC4 DC5 DC1 DC2 DC3 Berlin x.x Roma x.x DC6 Cyprus x.x DC7 Client

53 Try Next Closest Site First get any DC name from DNS
Second query the DC for clients site name returns the clients site plus the closest site (determined by the DC) Then query DNS for DCs in its current site and then tries to use the DCs If none responds, the client queries DNS for its next closest site and tries to use the found DCs

54 Try Next Closest Site Does not consider RODC sites by default
Can be change in registry NextClosestSiteFilter Windows cannot return the next closest site information problem if the hit “any DC” is Windows 2003- it is then going to be used regardless of its site

55 Client Rules Recap Windows 2003- Windows Vista+ with Next closest site
In current site In any site Windows Vista+ with Next closest site In the closest site If the client is out of any site, find any dc consider creating subnets for VPNs etc.

56 Active Directory Client Interactions
Site Design

57 Site Link Design

58 Site Link Design (Better?)
Olomouc Paris London Roma Berlin Cyprus

59 Site Link Design (Worse?)
Olomouc London Paris Roma Berlin Cyprus

60 Active Directory Client Interactions
DNS Integration

61 DNS Integration Clients find DCs by domain/site name
DCs find replication partners according to their GUID Netlogon de/registers locator records DNS stores its data in domain partition DomainDnsZones application partition ForestDnsZones application partition

62 Netlogon de/registration
Netlogon registers its own records at startup and deregisters them at shutdown requires DNS registration enabled on at least one network adapter %windir%\System32\Config\netlogon.dns It does not touch others’ records Autosite coverage turned on by default

63 AD Integrated Zones Offer Secure Dynamic Update Timestamping
trimmed to whole hour Aging and scavenging records deleted by default between days of their age

64 DNS Application Partitions
Domain partition CN=MicrosoftDNS,CN=System,DC=... DomainDnsZones replicated to all DNS Server which are also DCs for the domain ForestDnsZones replicated to all DNS Server which are also DCs for the forest

65 Secure Dynamic Update Client side feature
DHCP Client on Windows 2003- DNS Client on Windows Vista+ DNS Server must be on DC to authenticate clients with Kerberos All Authenticated Users can create new records When a record is created, only the creator/owner can modify/update it

66 Secure Dynamic Update Updates done regularly by clients
every hour by default Default TTL is 20 minutes Disable DHCP dynamic updates insecure!

67 Dynamic Update Primary DNS 3 Update Secondary DNS Client DNS 1
SOA Secondary DNS 2

68 Adjust A/PTR Record TTL

69 Dynamic Update and Replication
DNS DNS 0 sec. 0-3 min. AD AD 15-21 sec. schedule

70 Dynamic Update and Replication

71 Dynamic DNS Update on RODC
Each writable DC returns itself as a primary DNS RODC returns either (random) writable DC as the primary DNS

72 Dynamic DNS Update on RODC
Client 2 DNS R/O DNS 1 Upd SOA 0 sec. AD RODC

73 Dynamic DNS Update on RODC
Client DNS R/O DNS 0 sec. replicateSingleObject 0-3 min. AD RODC 0 sec.

74 Time stamping/Aging Record Created No-refresh period starts
timestamp trimmed to whole hour No-refresh period starts by default 7 days timestamp does not change if the record does not change Refresh period follows by default next 7 days timestamp gets updated at the first update

75 Scavenging Server wide configuration
Should be done by only one DNS Server as best practice By default ocurres only once per 7 days

76 DNS Aging and Scavenging
per-zone setting implemented by all DNS servers timestamp updates only during the refresh interval limits replication traffic

77 DNS Aging and Scavenging
per-server setting should be done only by one of the DNS servers

78 DNS Aging and Scavenging

79 DNS Best Practice DC1 DC2 AD AD DNS DNS

80 DNS Waiting for AD

81 DNS Best-Practice Reasons
Faster boot time without errors and timeouts Deregistration at shutdown is recorded in live DNS Server would have problems replicate if sent into shutting-down DC

82 Client DNS balancing Clients do not balance DNS servers
queries/updates use the first one always if possible DHCP server does not use round robin Configuration must be done “manually” manual on servers more DHCP scopes for clients

83 Client DNS non-balancing
Always alternate DNS server IP addresses

84 Client DNS non-balancing

85 DNS Client Settings HKLM\System\CurrentControlSet\Services\Tc pip\Parameters Timetouts DNSQueryTimeouts Disjoint namespace on multihomed machines DisjointNameSpace PrioritizeRecordData GPO – DNS Suffix appending on Vista+

86 DNS Server UDP Pool After applying KB , DNS Server reserves 2500 UDP ports HKLM\System\CurrentControlSet\Services\D NS\Parameters SocketPoolSize = DWORD = 2500 DNSCMD /Config /SocketPoolSize 2500

87 DNS Cache Pollution server: idtt.com authoritative DNS server
question: test.idtt.com, type A answer: no records authority answer: idtt.com SOA idtt.com NS ns37.domaincontrol.com ns37.domaincontrol.com A

88 Active Directory Troubleshooting
General Best Practice

89 General Best Practice Create and assign subnets for any possible client IP Limit the general (site unaware) DNS registration of DCs Enable Try next closest site and Force rediscovery options Enable DNS Aging and Scavenging Alter clients’ DNS settings to rotate the DNS server addresses

90 Thank YOU! Ondřej Ševeček | GOPAS a.s. |
MCM: Directory Services | MVP: Enterprise Security | | | Thank YOU!

Download ppt "Client Interactions Ing. Ondřej Ševeček | GOPAS a.s. |"

Similar presentations

Implementing and Administering AD DS Sites and Replication

Implementing and Administering AD DS Sites and Replication
Chapter 8 Managing Windows Server 2008 Network Services

Chapter 8 Managing Windows Server 2008 Network Services
MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.

MCTS Guide to Microsoft Windows Server 2008 Network Infrastructure Configuration Chapter 6 Managing and Administering DNS in Windows Server 2008.
Windows Server 2003 AD 安裝設定與管理維護 林寶森

Windows Server 2003 AD 安裝設定與管理維護 林寶森
Implementing Domain Name System

Implementing Domain Name System
Chapter 9: Configuring DNS for Active Directory

Chapter 9: Configuring DNS for Active Directory
70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.
Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.

Hands-On Microsoft Windows Server 2003 Networking Chapter 6 Domain Name System.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 8: Managing and Troubleshooting DNS.
Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.

Hands-On Microsoft Windows Server 2003 Networking Chapter 7 Windows Internet Naming Service.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 7: Planning a DNS Strategy.
Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.

Course 6425A Module 2: Configuring Domain Name Service for Active Directory® Domain Services Presentation: 50 minutes Lab: 45 minutes This module helps.
Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |

Kerberos Underworld Ondrej Sevecek | MCM: Directory | MVP: Security |
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Understanding Active Directory

Understanding Active Directory
Windows Server 2008 Chapter 8 Last Update 2012.05.31 1.0.0.

Windows Server 2008 Chapter 8 Last Update
Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.

Hands-On Microsoft Windows Server 2008 Chapter 8 Managing Windows Server 2008 Network Services.
Module 7: Configuring TCP/IP Addressing and Name Resolution.

Module 7: Configuring TCP/IP Addressing and Name Resolution.
Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | | |
Name Resolution Domain Name System.

Name Resolution Domain Name System.

Similar presentations

Ads by Google