Wondershare EdrawMind
EdrawMindActive Directory
MindMap Gallery Active Directory
- 935
- 4
- 2
Active Directory
Basic introduction about Active Directory. You can make and share your own mind maps easily. Just try EdrawMind mind mapping software for free!
Edited at 2022-03-08 09:27:55- Azure AD
Basic introduction about Azure AD. You can make and share your own mind maps easily. Just try EdrawMind mind mapping software for free!
- Active Directory
Basic introduction about Active Directory. You can make and share your own mind maps easily. Just try EdrawMind mind mapping software for free!
- NIST Cybersecurity Framework v1.1
NIST Cybersecurity Framework is a voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.
Active Directory
- Azure AD
Basic introduction about Azure AD. You can make and share your own mind maps easily. Just try EdrawMind mind mapping software for free!
- Active Directory
Basic introduction about Active Directory. You can make and share your own mind maps easily. Just try EdrawMind mind mapping software for free!
- NIST Cybersecurity Framework v1.1
NIST Cybersecurity Framework is a voluntary guidance, based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.
- Recommended to you
- Outline
Active Directory
Component
Logical Component
it reflects the logical structure of the organization
Partition
AD database is stored in a single database file NTDS.dit is logically segmented into directory partitions or naming context
Domain partition
Information about objects for specific domain
1 partition per domain
Replicated to all DC in the same domain
Configuration partition
Information about entire forest structure, including sites, service
1 partition per forest
Replicated to all DC in a forest
Schema partition
Information used to define objects and rules for manipulating and creating objects
1 partition per forest
Replicated to all DC in a forest
Application partition
Store any type of objects except security principal, ex DNS server integrated AD creates 2 app partition - ForestDNSZones and DomainDNSZones
1 partition per application
Replicates only between designated DC
Logical partitions in NTDS.dit file
NTDS - New Technologies Directory Service DIT - Directory Information Tree Default size is 12MB Can be extended up to 16TB Stored in C:\Windows\NTDS\ntds.dit
Schema
It is a set of definition for all object types in the directory and their related attributes.
Domain
A logical group of computer that share the same database.
Domain tree
A collection of domains that share contiguous namespace. This creates Trust automatically.
Forest
It is the top most logical container in an AD network. A collection of domains that share the same Schema. A trust is automatically created between domain trees.
Site
A collection or group of well-connected networks. Allows you to divide up your network based on your network topology for service localization and to manage replication. Site can be separated by: location secure subnet (separated by a firewall) weak connection (via wifi)
Service localization
Manage replication
Organizational unit (OU)
Container
Physical Component
It reflects the physical layout or topology of the network
Domain controller
It contains the copy of the AD DS database. It can process changes and replicate the changes to all other DC in the domain. It only holds a copy of objects in its domain.
Data store
It holds the AD DS database. It uses Jet database technology and stores the information in the NTDS.dit file and associated logs. This is the physical structure of NTDS.dit
NTDS.DIT
The physical database file where all directory data is stored.
data table
link table
security descriptor table
EDB.LOG
It is the transaction log which means any changes made to objects in AD are first saved to this file. Size is always 10MB.
EDB****.LOG
This is auxiliary transaction logs used to store changes if the main EDB.LOG file gets full before it can be flushed to NTDS.DIT.
EDB.CHK
It is a checkpoint file used by transaction logging system to mark the point at which updates are transferred from EDB.LOG to NTDS.DIT.
RES1.LOG, RES2.LOG
These are reserve log files which act as placeholder. It will be used once the disk space was fully utilized.
TEMP.EDB
Schema.INI
This is used during the initialization of NTDS.DIT while the server is being promoted to Domain Controller. It becomes part of NTDS.DIT after the promotion.
Global Catalog(GC)
A writable DC that contains the full copy of a DC in the same domain and a partial read-only copy of all objects in the forest. This allows users and applications to find objects in any domain in the current forest. Not all attributes of objects from other domains in the forest are copied. You can add more attributes via AD Schema by selecting Replicate This Attribute to the Global Catalog. source: https://theitbros.com/global-catalog-active-directory/
Read-only domain controller (RODC)
It is mainly used for security purposes while providing resiliency at remote offices with poor connection. RODC replication is one directional and only happened during replication cycle and only with a writable DC not with other RODC.
Design
Sites
Division
Sites can be modeled based on your physical network
based on physical location
based on secure subnet (separated by firewall)
based on connectivity (weak WiFi)
Knowledge Consistency Checker
Runs every 15mins
Manual run via Check Replication Topology
repadmin /kcc
Creates connection between servers
Configuration
Sites
NTDS Settings
Manual replication of DCs between sites
Manual creation of connection
Force run of KCC
Shows incoming connections
Checks which is the bridge head server
repadmin /bridgeheads
Servers
Site link
Cost
This tells AD what prioritization will be used. The lowest cost will be prioritized.
Replication time
The default is set to 180mins or 3 hrs. Can be set to as low as 15mins.
Site Transport
RPC over IP
This supports everything required for AD. It uses synchronous which means it waits for a response each time data is sent. If no responses, it stops data.
SMTP
Supports everything (AD changes and schema) except file replication services like SYSVOL containing scripts and group policies. It uses asynchronous communication where response is not required.
Subnet
Global Catalog
There should be atleast 1 GC per domain
Any DC can be made into a GC
By default all DC are GC
Contains an index of every object in the forest
Contains a subset of all objects in a forest
Holds information of multi-domain groups
Enable GC via AD Users and Computers
Required when using UPN
Operations
Site Replication
Intra-site Replication
It creates a ring connection between DCs. If a site increases number of DCs for more than 8, additional connection will be made to ensure that there will be no more 3 hops between DCs. This ensures propagation happens within less that a minute (45sec in 3 hops).
Happens between DCs in the same Site
No configuration required
Starts 15sec after a change
Up to 3 hops propagation in less than 1min
Uses IP transport only
Inter-site replication
Replication between two sites
Requires a Site link
AD selects a bridge head server automatically in each site
You can select your Preferred bridge server
Note that if Preferred bridge server head is down, replication will not occur in that site.
Bridge head server will replicate the change to bridge head server to other site
Has an option to use SMTP or IP transport
FSMO Roles
Flexible Single Master Operation source: https://www.varonis.com/blog/fsmo-roles/ https://stealthbits.com/blog/what-are-fsmo-roles-active-directory/
Schema Master
Manages the read-write copy of AD schema
The only DC that has writable schema partition
AD Schema Management console
Only 1 per forest
Domain Naming Master
Makes sure that you don't create a second domain with the same name
The only DC that is capable of adding new domains and application partition
AD Domains and Trusts Management console
Only 1 per forest
Forest-wide
Relative ID (RID) Master
Allocates RID pools
Assigns SID to newly created objects
AD Users and Computers Management console
1 per domain
Primary DC (PDC) Emulator
Manages Group Policy
Keeps the time accurate
Password changes, final authority in password
AD Users and Computers Management console
1 per domain
Infrastructure Master
Keep references GUID, SID and DN between domains up date
Keep tracks object rename and delete
AD Users and Computers Management console
1 per domain
Domain-wide
Technology
x.500
Database (NTDS.DIT)
Lightweight Directory Access Protocol
Allows access to the database
via AD Management Tool
via LDAP syntax
CN=,OU=,DC=,DC=COM CN - Canonical name OU - Organizational unit DC - Domain component The above three is what makes the DN or distinguished name which is the unique name of the object in the directory
Kerberos