SLIDE 1
- 25. DECUS Symposium
- 25. DECUS Symposium
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features - - PDF document
Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features - - PDF document
25. DECUS Symposium 16.04.2002 Windows.NET Beta 3 Windows.NET Windows.NET Beta 3 Beta 3 Active Directory New Features Directory New Features Active Active Directory New Features Wolfgang Werner Wolfgang Werner Compaq Compaq Decus Bonn
SLIDE 2
SLIDE 3
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 3
Install Replica from Media Install Replica from Install Replica from Media Media
Run DCPROMO in Advanced Mode
– DCPROMO /ADV
Install Replica from Media Install Replica from Install Replica from Media Media
Network connectivity still required for up-to-date information
– Changes in the AD databases and SYSVOL folder updates are replicated over the network
Restrictions
– The backup cannot be older than the tombstone lifetime (default 60 days) – Application directory partitions will not be restored
SLIDE 4
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 4
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
Domain Controller Rename Domain Controller Domain Controller Rename Rename
Windows 2000 a domain controller (DC) can't be renamed In Windows.NET DCs can be renamed without being demoted first New name is automatically updated to DNS and Active Directory
SLIDE 5
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 5
Domain Controller Rename Domain Controller Domain Controller Rename Rename
No Explorer like features Procedure:
– Add a new name – Wait for the new name to propagate through the network – Remove the old name
Domain Controller Rename Domain Controller Domain Controller Rename Rename
Add new name
– NETDOM COMPUTERNAME oldname /ADD:newname
Wait for replication of
– DNS host (A) records
servicePrincipalName attribute to all DCs in the domain and all Global Catalog servers in the forest
SLIDE 6
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 6
Domain Controller Rename Domain Controller Domain Controller Rename Rename
Update computer account in AD
– NETDOM COMPUTERNAME oldname /MAKEPRIMARY:newname
Reboot Wait for the replication of the DNS Locator resource records
– Defined in system32\config\netlogon.dns
Domain Controller Rename Domain Controller Domain Controller Rename Rename
Remove old name
– NETDOM COMPUTEENAME newname /REMOVE:oldname – Removes old DNS host (A) records – Removes the old name in Active Directory
Change "Computer Name" in System Control Panel
SLIDE 7
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 7
Domain Controller Rename Domain Controller Domain Controller Rename Rename
Moving DCs between domains was planned but will not be implemented Certification Authorities can not be renamed DNS and Active Directory replication latency may cause a temporary inavailability
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 8
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 8
Renaming Domains R Renaming enaming D Domains
- mains
Change the DNS and NetBIOS names
– of the forest-root domain – any tree-root domains – any parent and child domains
Restructure a domain's position within a forest
Renaming Domains R Renaming enaming D Domains
- mains
No Pruning and Grafting capabilities Windows.Net Help and Support: "A domain rename will affect every domain controller in your forest and is a thorough multi-step process that requires a detailed understanding of the operation" Resources from http://www.microsoft.com/windows2000/downloads/tools/ domainrename/default.asp
– Understanding How Domain Rename Works (28 pages) – Step-by-Step Guide to Implementing Domain Rename (69 pages) – rendom.exe utility
SLIDE 9
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 9
Renaming Domains R Renaming enaming D Domains
- mains
Identity of the forest root domain cannot be changed If Exchange 2000 is deployed in the same forest domain rename is blocked Each domain controller in the forest will be out-of-service briefly All Domain Controllers in the forest that where unreachable during the operation or finished in the Error state must be demoted Any external trust relationships must be re-established ...
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 10
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 10
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
In Windows 2000 a Global Catalog Server is required for logging on to a domain
– To determine the users membership in universal groups – If no local GC is available a server in the remote site will be used
Recommendation: at least one GC per site
– Adds replication traffic
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
If no Global Catalog is available:
– If the user is an administrator logon succeeds – If only a Domain Controller is available the user fails to log on to the workstation – If no Domain Controller is available, the user is logged on with cached credentials
SLIDE 11
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 11
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
Workaround in Windows 2000: HKLM\System\CCS\Control\Lsa\ IgnoreGCFailures 1 Q241789 How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons Potential security vulnerability if universal groups are also used
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
Windows.NET adds the ability to cache the Universal Memberships of the users Enabling this caching process is done on a Site- by-Site basis To enable GC-less logon modify AD Sites NTDS Site Settings object
SLIDE 12
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 12
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
The DC will use the cached information even if a GC is available Cache is updated in eight-hour intervals (default)
– This caching mechanism may allow stale data
Cached data expires from lack of use
– No logon in 180 days (default)
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
To adjust the default refresh interval
HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Refresh Interval DWORD in minutes
To adjust the default expiration time period
HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Site Stickiness DWORD in minutes
SLIDE 13
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 13
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
msDS-Cached-Membership single valued attribute added to the user object
– Stores the SIDs of the Universal Groups to which the user belongs – To populate the attribute the DC must contact a GC when a user first logs on – Not replicated between Domain Controllers
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
No GUI to control an update of the cached msDS-Cached-Membership attributes Use ADSI set objRoot = GetObject("LDAP://RootDSE")
- bjRoot.Put "UpdateCachedMemberships", 1
- bjRoot.SetInfo
SLIDE 14
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 14
Universal Group Membership Caching Universal Universal G Group roup M Membership embership C Caching aching
To diagnose Group membership caching HKLM\SYSTEM\CCS\Services\NTDS\ Diagnostics\20 Group Caching 5 (full diagnostic) Information is written to the Directory Service Event Log
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 15
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 15
Linked Value Replication Linked Value Replication Linked Value Replication
Novell's Claims against Active Directory (December 1999):
DID YOU KNOW that Microsoft recommends against distributed group management? MS recommends that all group membership should be done from a single machine. WHY? If two administrators manage an AD group (add/delete a user to/from the group) before the group COMPLETELY synchronizes to ALL AD domain controllers, changes will be lost.
Linked Value Replication Linked Value Replication Linked Value Replication
In Windows 2000 group membership is stored as a single multi-valued attribute If the group membership is modified the complete membership attribute is replicated
– Even adding or removing a single member
If membership is modified on two different DCs simultaneously changes might be lost Windows 2000 workaround: use only one Domain Controller to change group membership
SLIDE 16
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 16
Linked Value Replication Linked Value Replication Linked Value Replication
Windows.NET removes this issue
– A linked-value is a pointer to other objects in the directory – A multi-value linked-value attribute is a list of pointers to other objects in the directory – Replication metadata is is stored in every single value of that list – Now this single value can be replicated
Linked Value Replication Linked Value Replication Linked Value Replication
Novell's Claims against Active Directory (December 1999):
DID YOU KNOW that Microsoft recommends no more than 5000 users in an Active Directory group? WHY? Because group membership is sent out as a single attribute value. So, if you add the 5000th user to a group of 4999 members, instead of sending just the new user, the entire group (all 5000 users) is sent to ALL domain controllers.
SLIDE 17
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 17
Linked Value Replication Linked Value Replication Linked Value Replication
5000 members is not a hard limit The attribute becomes too large to be replicated in a single transaction Windows 2000 workaround: using smaller groups to compose larger groups Windows .NET removes the issue by only replicating updates to the group membership
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 18
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 18
Forest Trusts Forest Forest T Trust rusts s
Windows 2000 Kerberos authentication is only forest wide To create trusts between forests NTLM trusts between every domain in each forest must be created
Forest Trusts Forest Forest T Trust rusts s
In Windows.NET Transitive Kerberos trust between two forests' root domains can be created
– Authorization and authentication occur transparently between the linked forests
Forest trusts are targeted for companies
– Undergoing mergers or acquisitions – Seeking a solution to administrative autonomy
Cross-forest trust can be 1-way or 2-way
SLIDE 19
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 19
Forest Trusts Forest Forest T Trust rusts s
Two-way
– All users in both forests are able to access all resources anywhere in either forest
One-way: incoming
– Only users in the first forest are able to access resources anywhere in the second forest – Users in the second forest will not be able to access any resources in the first forest
One-way: outgoing
– Only users in the second forest are able to access resources anywhere in the first forest – Users in the first forest will not be able to access any resources in the second forest.
Forest Trusts Forest Forest T Trust rusts s
To define trust relationships use the new Trust Wizard
SLIDE 20
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 20
Forest Trusts Forest Forest T Trust rusts s
Forest trusts can only be created between two forests Relationship is not transitive between forests Exchange Server still see two different
- rganizations
No way to unify forests into one forest
– Still two Global Catalogs – Still two Schemas
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 21
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 21
Application Directory Partitions Application Directory Partitions Application Directory Partitions
A naming context (also called a directory partition) – Stores application-specific data in the Active Directory – Used for redundancy, availability, or fault tolerance Windows 2000: only three choices of replication scope – Not replicated – Domain-wide (domain naming context) – Forest-wide (configuration naming context)
Application Directory Partitions Application Directory Partitions Application Directory Partitions
In Windows 2000 data may go to places where it is not used – All application data replicated to every DC in the domain – Every object in Active Directory is put into the GC Inappropriate to store volatile data in DS – Gets replicated widely – Data may not be up to date on various domain controllers – May cause lot of replication traffic
SLIDE 22
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 22
Application Directory Partitions Application Directory Partitions Application Directory Partitions
In Windows.NET additional naming contexts can be created
– Used for Active Directory enabled application to store and replicate data – Usually created by the applications that will use them – Contain any hierarchy of objects, except security principals – Replicated only to specific domain controllers in a forest – Objects not replicated to GC
Application Directory Partitions Application Directory Partitions Application Directory Partitions
Naming
– Part of the forest namespace – Like domain directory partition – Same DNS and LDAP naming conventions
DNS: adp1.microsoft.com DN: dc=adp1,dc=microsoft,dc=com
SLIDE 23
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 23
Application Directory Partitions Application Directory Partitions Application Directory Partitions
Three possible placements within the forest namespace:
– A child of a domain directory partition. – A child of an application directory partition. – A new tree in the forest. – Domain directory partitions cannot be children of an application directory partition
Application Directory Partitions Application Directory Partitions Application Directory Partitions
Ntdsutil can be used to perform various
- perations
– For testing and troubleshooting purposes only – Applications will provide the utilities
DCPROMO demote will not remove replicas or delete application directory partitions
SLIDE 24
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 24
Application Directory Partitions Application Directory Partitions Application Directory Partitions
The Knowledge Consistency Checker (KCC) automatically generates and maintains the replication topology for all application directory partitions Replicas follow the same intersite replication schedule as the domain directory partition.
Application Directory Partitions Application Directory Partitions Application Directory Partitions
Example: Active Directory integrated DNS Ability to replicate zones
– Among a given set of DNS servers of different domains
dnscmd.exe (/CreateDirectoryPartition /EnlistDirectoryPartition /UnEnlistDirectoryPartition)
– All DNS servers in the forest
Default DNS application partition DomainDnsZones dnsmgmt.msc or dnscmd.exe
– All DNS servers in the forest
Default DNS application partition ForestDnsZones dnsmgmt.msc or dnscmd.exe
SLIDE 25
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 25
Application Directory Partitions Application Directory Partitions Application Directory Partitions
Example: List partitions with ntdsutil.exe
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 26
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 26
Defunct Schema Objects Defunct Defunct Schema Schema Objects Objects
The directory schema describes the kinds of
- bjects that can reside in a directory
– Allowable parent object types for an object – Mandatory and optional attributes for an object – Syntax for an attribute
Schema objects: classes and attributes 1
Defunct Schema Objects Defunct Defunct Schema Schema Objects Objects
Schema additions are permanent 1
– No way back – In both Windows 2000 and Windows.NET
In Windows.NET schema objects
– Can be disabled (marked "defunct") – Can be redefined – Can be reactivated
SLIDE 27
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 27
Defunct Schema Objects Defunct Defunct Schema Schema Objects Objects
Redefining Schema Objects
– The object identifier and the ldapDisplayName can be reused
Example:
– Active Directory does not permit you to change the syntax
- f an attribute after it has been defined in the schema
– Deactivate the attribute and create a new attribute that reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax
Defunct Schema Objects Defunct Defunct Schema Schema Objects Objects
To deactivated Schema objects set the isDefunct property to "True"
– Programmatically With the Active Directory Schema snap-in
Only objects that have been added to the base schema can de deactivated or redefined
SLIDE 28
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 28
Defunct Schema Objects Defunct Defunct Schema Schema Objects Objects
To reactivated Schema objects set the isDefunct property to "False" Any instances become valid, normal objects again There must be no collisions with active Schema
- bjects (ldapDisplayName, schemaIdGuid,...)
Agenda Agenda Agenda
Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson
SLIDE 29
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 29
inetOrgPerson inetOrgPerson inetOrgPerson
Novell's Claims against Active Directory (December 1999):
DID YOU KNOW that Windows2000 does not conform to LDAP standards? This means that many off the shelf LDAP applications (Netscape, Oblix, Netegrity, etc) cannot run against Active Directory? It seems that Windows2000 doesn’t derive users from InetOrgPerson, which is the LDAP standard. Therefore, most LDAP applications won’t recognize Active Directory users.
inetOrgPerson inetOrgPerson inetOrgPerson
Windows 2000 Active Directory
– The user account object is implement as the 'user' class1
Other LDAP implementations
– The user account object is implement as the inetOrgPerson class (RFC 2798) 2 – Do not recognize AD users
In Windows.NET Active Directory:
– new inetOrgPerson class compatible with the user class 3
SLIDE 30
- 25. DECUS Symposium
16.04.2002 http://www.decus.de 30
inetOrgPerson inetOrgPerson inetOrgPerson
In Windows.NET inheritance chain
top (abstract)
- > person (abstract)
- > organizationalPerson (abstract)
- > user (structural)
- > inetOrgPerson (structural)
RFC 2798 inheritance chain:
top (abstract)
- > person (structural)
- > organizationalPerson (structural)
- > inetOrgPerson (structural)
inetOrgPerson inetOrgPerson inetOrgPerson
Exchange 2000 schema extension
– secretary: 1.2.840.113556.1.2.444 – labeledURI: 1.2.840.113556.1.2.593
inetOrgPerson RFC 2798
– secretary: 0.9.2342.19200300.100.1.21 – labeledURI: 1.3.6.1.4.1.250.1.57
Solution: Change lDAPDisplayName
– secretary -> msExchangeAssistantName – labeledURI -> msExchlabeledURI
SLIDE 31
- 25. DECUS Symposium