Active Directory

Sunday, March 6, 2022

FSMO Transfer through CLI

FSMO Role Transfer using CLI(Command Line tool)

Pre-requisites:

Both, the source-DC and the target-DC should be up and running and they should be able to communicate with each other.

Process:

Step 1: Connect to “Target-DC”

Step 2: Transfer

Command-Ntdsutil.exe

Ntdsutil:-

The NTDSutil.exe utility is one of the key tools to perform maintenance tasks on Active Directory and its database (ntds. dit file)

The NTDSutil utility can be used by AD administrators in various scenarios. Most often the utility is used to:

· Transfer (seizing) FSMO roles in the AD domain between domain controllers

· Authoritative restoring of deleted objects in Active Directory

· Remove faulty (missing) AD domain controllers

· Performing AD database maintenance:

Checking integrity, compressing, moving the ntds.dit file or AD log files to another drive on a domain controller in order to increase performance

· Active Directory snapshot management

· Change the administrator password for the DSRM (Directory Services Restore Mode) recovery mode.

C:\Users\Administrator.INTERAPAC>ntdsutil.exe

ntdsutil.exe: roles

fsmo maintenance: connections

server connections: connect to server paris-dc

Binding to paris-dc ...

Connected to paris-dc using credentials of locally logged on user.

server connections: q

fsmo maintenance: Transfer PDC

Server "paris-dc" knows about 5 roless

Schema - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Naming Master - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

PDC - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

RID - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Infrastructure - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

fsmo maintenance: Transfer RID Master

Server "paris-dc" knows about 5 roles

Schema - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Naming Master - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

PDC - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

RID - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Infrastructure - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

fsmo maintenance: Transfer infrastructure master

Server "paris-dc" knows about 5 roles

Schema - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Naming Master - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

PDC - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

RID - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Infrastructure - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

fsmo maintenance: Transfer schema master

Server "paris-dc" knows about 5 roles

Schema - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Naming Master - CN=NTDS Settings,CN=MIAMI-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

PDC - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

RID - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Infrastructure - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

fsmo maintenance: Transfer naming master

Server "paris-dc" knows about 5 roles

Schema - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Naming Master - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

PDC - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

RID - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

Infrastructure - CN=NTDS Settings,CN=PARIS-DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=interapac,DC=com

fsmo maintenance: q

ntdsutil.exe: q

FSMO Transfer through GUI

FSMO Roles

Checking current role holder: Netdom query fsmo

FSMO Transfer through GUI(Graphical User Interface)

Understanding FSMO Transfer: Moving/migrating any FSMO role from one DC to another DC.

Pre-requisites:

Both, the source-DC and the target-DC should be up and running and they should be able to communicate with each other.

Process:

Step 1: Connect to “Target-DC”

Step 2: Transfer

To transfer all the “Domain-Wide” roles console-“Active Directory Users and Computers”.

STEPS:

Logon to ABC-DC and

Open “Active Directory Users and Computers” console

Right-click on the domain name (intrconnect.com) and click on

“Change Domain Controller” – Connecting to the Target-DC

Select “PARIS-DC” and click on OK.

Now we are connected to “PARIS-DC”

Right-click on the domain name (intrapac.com) and click on

“Operations Master”

The below window will appear.

Simple click on “Change”

Click on YES

Click OK.

We have successfully transferred “RID Master” from MIAMI-DC to PARIS-DC

In the same way, we can transfer PDC and Infrastructure Master Roles from one DC to another DC through GUI.

“Active Directory Domains and Trusts” console to transfer the Domain Naming Master “Forest-Wide” role.

Currently Domain Naming master is on MIAMI-DC

To Transfer the Domain naming master role connect to Target-DC i.e PARIS-DC.

Right-click on PARIS-DC and select the Operations Master option.

The Below window will appear and click on Yes to Transfer.

The below window shows the Domain naming master is successfully transferred.

Transfer “Schema Master” using GUI we need to add the “AD Schema” Snap-in in MMC

Expose “AD Schema” Snap-in

How to expose the “AD Schema” Snap-in

We need to register the Schema Management DLL file

To register any DLL file we use regsvr32.exe utility usage

C:\>regsvr32.exe <Name of the DLL file>

How?

Open Admin command prompt

Run the command regsvr32 schmmgmt.dll

Then enter MMC on Command prompt the below window will appear.

In File menu click on Add\remove Snap in and add Active directory Schema and click ok.

After adding Active directory Schema snap in click on Active directory schema and click on change the domain controller as below.

Next Click on Operations Master and the below screen will appear.

Just click on the change tab.

Click on Yes .

We have successfully transferred Schema master role.

Sunday, May 9, 2021

Windows Network- Workgroup and Domain

Windows Network- Workgroup & Domain

Comparison	Workgroup	Domain
Architecture	Peer to Peer	Client Server
Administration & Management	De-centralized	Centralized
Security	Less Secured	More Secured (As we can implement group policies & configure “role based access”)
Implementation	More Importance is given to “Information / Resource sharing” then “Security”	More Importance is given to “Security” then “Information / Resource sharing”
Presence of Active Directory Domain Services	ADDS is not present	ADDS is present
Logon & Authentication	Local	Global

• Client

Client can be an “Application” or a “Service” which requests for “Services & Resources” to a Server.

• Server

Server can be an “Application” or a “Service” which provides “Services & Resources” requested by the Client.

Client Server Architecture

• What is Active Directory?

Active Directory is a directory service that centralizes the management of users, computers and other objects within a network. Its primary function is to authenticate and authorize users and computers in a windows domain.

· (IdAM) Identity & Access Management

What is Active Directory?

https://youtu.be/i9I5poSokow

https://youtu.be/Whh3kPS0FdA

Ø Active Directory Architecture

· All the “Domain Controllers” have “Read/Write” copy of AD Database

· Multi-Master Architecture

What is a “Domain Controller (DC)”

· Any Server / Computer on which “Active Directory Domain Services – ADDS” are installed and configured can be called as a Domain Controller.

· Any Server / Computer on which AD Database is present can be called as a Domain Controller.

What are the benefits of an active directory?

· The Active Directory database (directory) contains information about the AD objects in the domain. Common types of AD objects include users, computers, applications, printers and shared folders.

· Some objects can contain other objects (which is why you’ll see AD described as “hierarchical”). In particular, organizations often simplify administration by organizing AD objects into organizational units (OUs) and streamline security by putting users into groups. These OUs and groups are themselves objects stored in the directory.

· Objects have attributes. Some attributes are obvious and some are more behind the scenes. For example, a user object typically has attributes like the person’s name, password, department and email address, but also attributes most people never see, such as its unique Globally Unique Identifier (GUID), Security Identifier (SID), last logon time and group membership.

· Databases are structured, which means there is a design that determines what types of data they store and how that data is organized. This design is called a schema. Active Directory is no exception: Its schema contains formal definitions of every object class that can be created in the Active Directory forest and every attribute that can exist in an Active Directory object.

How is Active Directory structured?(Just for our understanding)

· AD has three main tiers: Domains, Trees and Forests.

· A domain is a group of related users, computers and other AD objects, such as all the AD objects in a company.

· Multiple domains can be combined into a tree, and multiple trees can be grouped into a forest.

What are the benefits of an active directory?

The Top 3 major benefits of Active Directory Domain Services are:

· Centralized repository for user credentials - easier to manage and more secure. One place to manage users rather than having a username and password in every application database.

· Single sign-on using Kerberos - users sign in once, get access to all Windows-integrated services. Better user experience, more secure avoids multiple credentials).

· Centralized management of workstation configuration through GPOs - you can define a common workstation configuration profile (registry settings, software installation, etc.) and it is automatically applied to the workstations in your domain.

· Distributed and replicated - very robust, keeps working even if multiple DCs fail, maximizes uptime and performance of the authentication process.

· Supports delegated administration - let department admins manage the users and computers in their department.

· Use group memberships to provide a role-based access control model for applications and for directory management. Simplifies access rights management.

What is AD schema? (Database)

· AD schema is the blueprint of objects which can be created in AD

· Templates of objects which can be created in AD

· Molds of objects which can be created in AD.

Schema contains “Classes” & “Attributes for those classes”

In above picture the ice cream objects are created from the molds.

Understanding FSMO Roles (flexible single master operations, or FSMO)

In Single Master Operation a task is given to single employee (person) to perform.

For example : In above picture there is team of windows Admin and Team Lead gives the task to any employee and that task will be

1. Email auditing

2. Ticket auditing

3. Team rostering

4. Ticket closure report

This means that a single employee(person) in the team given responsibility for performing a specific task and this operation is called Operations Master.

FSMO roles (also known as Operations master roles) are special roles assigned to one or more domain controllers in an Active Directory domain

There are five FSMO roles and two of them are Forest wide roles and three of them are Domain wide roles.

Following below lists the Operation Master Roles and their scope

Forest Wide role: Schema Master & Domain Naming Master

Schema Master: There is only a single read/write copy of the schema on your Windows Server Active Directory forest stored on the Schema Master Domain controller.

Schema Master is the Domain Controller which holds the “Read/Write” copy of Active Directory Schema; rest all the other Domain Controllers in the forest holds “Read Only” copy of Active Directory Schema.

Note:-If Schema Master goes down then there won’t be direct impact on end user or administrator until they try to modify schema.

Domain Naming Master: One per forest (Forest wide)

All objects within Active Directory must be unique. We cannot create two objects in a container with the same name, and the distinguished names all of all objects must be unique. Domain Naming Master ensures that new domains added to the Active Directory forest have unique names.

Primary Function: Addition & removal of domains in the forest.

Idea: Avoid creation of duplicate / identical domain names in the forest.

Note:-If Domain Naming Master goes down then domains won’t be able to be added or removed from Active directory forest. DCPROMO will also get affected, in that case we cannot promote or demote servers.

Domain Wide role: RID Master ,PDC Emulator & Infrastructure Master

RID Master: (Only 1 RID Master per domain)

Function: RID Master allocates pool of RIDs to all the Domain Controllers in its domain. This pool of numbers is in the chunk of 500.

Object SID is ALWAYS unique

Note:-If RID Master goes down then Domain Controller will not be allowed to create SID and there will be problem to create new user accounts, groups, computers.

(An object in AD is not identified by its name but a number called as ObjectSID – Just called as SID in the AD world)

PDC Emulator

Functions:

· Time server for the Domain

· Supreme authority for security related conflicts

· Every security related change at any other domain controller is always transferred directly to the PDC-E. This makes the PDC Emulator an authoritative source for the current state of all security related change in the domain.

· All domain controllers which receives an incorrect authentication request will take a “second opinion” from the PDC Emulator before rejecting the user.

Note:-If PDC Emulator Master goes down then there will be immediate impact on normal operations . User cannot update password, there will be effect on time syncing, cannot open group policy console .

Infrastructure Master:

Function:

· Infrastructure Master keeps the track of cross domain references.

· Infrastructure Master is responsible for updating an object's Security Identifier (SID) and Distinguished Name in a cross-domain object reference.

Note:- Infrastructure Master is responsible for updating reference of object's Security Identifier (SID). If this Infrastructure Master goes down these references will get updated hence there will be immediate effect on phantom object.

Phantom objects

Phantom objects are database objects used for “internal administrative purpose operations” in Active Directory. These phantom objects cannot be displayed by LDAP or ADSI.

Phantom objects can be created if, for example, an object is deleted in Active Directory, but there are still references or links to the object. Phantom objects may also be created if a local domain group has a user from another domain as a member.

If a domain controller has the infrastructure role and is simultaneously the global catalog server, phantom objects are never created (and never updated).

In Active Directory phantom objects are created inter domain group-to-user links. They contain only the minimum information so that the original object can be found from the other domain (distinguished Name, object-GUID and object-SID).

Global Catalog:

The term “Catalog”: A complete list of items, typically one in alphabetical or other systematic order.

1 It’s a catalog, Global Catalog resides on a domain controller.

“Global Catalog” (GC) holds full/complete information of all the objects in its domain and partial information of all the objects in the entire forest.

• All the DCs can be configured as GCs

• Microsoft recommends at least one GC per AD site

Networking Devices

· NIC – Network Interface Card\Controller

· NIC acts as the physical interface between the computer and the network cable.

· NIC is one of the hardware device on the motherboard.

· NIC Card perform all network related functions.

· NIC allows a networking device to communicate with the other networking device.

· Typically all modern PCs have the integrated NICs in the motherboards. (LAN Card / NIC / Ethernet Card … etc)

· Switch

A switch is a device in a computer network that connects other devices together.

Multiple data cables are plugged into a switch to enable communication between different networked devices.

Router:

· A router is a device which connects 2 or more different networks.

· A router is a networking device that forwards data packets between computer networks.

What is a Router?

HUB:

Hubs are networking devices operating at a physical layer of the OSI model that are used to connect multiple devices in a network.

· A hub has many ports in it. A computer which intends to be connected to the network is plugged in to one of these ports. When a data frame arrives at a port, it is broadcast to every other port, without considering whether it is routed for a particular destination device or not.

Bridge:

· Bridge in networking divides a LAN into multiple segments. Bridge basically works in a bus topology.

· Bridge inspect incoming traffic and decide whether to forward or reject ,it check for source and destination MAC address.

As per above picture:

· Bridge in networking divides a LAN into two segments (Segment 1 and Segment 2) and stores all the connected PC’s MAC address into its table. Let’s take an example, Here PC 1 tries to send data to PC 2.

· Data will first travel to the bridge. The bridge will read its MAC address and decide whether to send the data to segment 1 or segment 2. Hence, the PC 2 is available in segment 1 means bridge will broadcast the data only in segment 1 and excludes all the PCs connected in segment 2.

What is Bridge in Networking | How Bridge works and its functions (learnabhi.com)

Gateway:

· A gateway is a networking device that connects two networks using different protocols together.

· It also acts as a “gate” between two networks. It may be a router, firewall, server, or other devices that enable traffic to flow in and out of the network.

What is Gateway in networking | Function of gateway | LEARNABHI.COM

Modem:

· A modem is a network device that connects your local area network (LAN) to the wide area network (WAN), also known as the internet.

· Most modems are connected via a phone line, coaxial cable, or optical fiber.

A modem “modulates and demodulates” (or converts) the analog signal from your internet service provider (ISP) and the digital signal from your router, computer, and other network devices, so you can connect to the internet.

Repeater:

· Its job is to regenerate the signal over the same network before the signal becomes too weak or corrupted so as to extend the length to which the signal can be transmitted over the same network.

Note:- Repeaters do not amplify the signal. When the signal becomes weak, they copy the signal bit by bit and regenerate it at the original strength. It is a 2 port device.

For More Understanding of Network devices please refer below link: What is Hub,Bridge,switch and Router-Hindi/Urdu | Best Video on Networking Devices-Hindi/URDU - YouTube

Difference between Hub, Switch, Router(Hub, Switch, & Router Explained - What's the difference? - YouTube

Firewall: A firewall is a network security system (It can be hardware appliance or a software application) that monitors incoming and outgoing network traffic and decides whether to allow or block the traffic based on a defined set of security rules.

Please refer below video of Firewall for better understanding :What is a Firewall? - YouTube

Block Traffic by Default: -Start blocking all traffic by default and only allow specific traffic to identified services. This approach provides quality control over the traffic and decreases the possibility of a breach. This behaviour can also be achieved by configuring the last rule in an access control list to deny all traffic. Modifications can be done explicitly or implicitly, depending on the platform.

DMZ – De-militarized Zone

The DMZ Network exists to protect the hosts most vulnerable to attack. These hosts usually involve services that extend to users outside of the local area network, the most common examples being email, web servers, and DNS servers.

The goal of a DMZ is to add an extra layer of security to an organization's local area network.

AD Group Types & Group Scope

AD Group Types

· Security Group:-

· A security group has a SID and thus can be used for assigning permissions to files or objects.

· A security group can also be used as a distribution group in e-mail software like Exchange.

· Thus, the difference between a security group and a distribution group is simply that a security group is security enabled whereas a distribution group is not.

AD Distribution Group:-

· Distribution groups are used for distributing messages to group members. Distribution groups are used with e-mail applications, such as Microsoft Exchange.

· They allow a user to send e-mail to an address that is associated with the group and have it distributed to all members whose accounts are mailbox enabled. Distribution groups are not security enabled, and therefore cannot be used to assign permissions to Windows resources.

· Distribution groups do not have a SID (Security Identifier) associated with them. That is, a distribution group cannot be used to assign permissions to files or objects.

AD Group Scope

1.Domain Local:-

· Domain local group scopes are used to assign permissions for access to resources.

· You can assign these permissions only in the same domain where you create the domain local group.

· Members from any domain can be added to this group and may also include and become members of groups from the same domain.

2.Global:-

Group scopes are used to organize users who share similar network access requirements for access to resources in any domain.
Members can be added only from the domain in which the global group was created.
The global scope can contain user accounts and global groups from the same domain and can also be a member of universal and domain local groups in any domain.

3.Universal:-

Universal group scopes are used to assign permissions for access to related resources in multiple domains.
Members from any domain can be added.
The universal scope can contain user accounts, universal groups and global groups from any domain and can also be a member of domain local or universal groups in any domain.

Group Types in AD:-https://youtu.be/aPh8_RB8XEU

AGDLP (IGDLA): https://youtu.be/zHHzjjqVhTc

AGUDLP (IGUDLA): https://youtu.be/yjPGRnxAU6M