Skip to content

Latest commit

 

History

History
114 lines (86 loc) · 5.57 KB

Active-Directory.md

File metadata and controls

114 lines (86 loc) · 5.57 KB
Raw

Windows Active Directory:

Windows Active Directory Files Overview

1. SYSVOL Folder

  • Purpose: SYSVOL (System Volume) is a shared directory on domain controllers in a Windows Server environment that stores group policy data, scripts, and other critical files necessary for Active Directory (AD) replication across the domain.
  • Location: Typically found at C:\Windows\SYSVOL.
  • Functions:
    • Stores Group Policy Objects (GPOs) and login/logoff scripts.
    • Replicated across all domain controllers to ensure consistency in the domain.

2. ntds.dit: Active Directory Database File

  • Purpose: The ntds.dit file is the primary database file for Active Directory, containing all directory data, including user accounts, groups, and other AD objects.
  • Location: Found at C:\Windows\NTDS.
  • Functions:
    • Stores all Active Directory information and is essential for the operation of AD services.
    • Handles data like user credentials, computer accounts, and directory service data.

3. Active Directory Log Files

  • Purpose: These log files track changes and transactions in the Active Directory database, ensuring data integrity and supporting recovery operations.
  • Location: Typically stored in C:\Windows\NTDS.
  • Functions:
    • EDB.LOG: The main transaction log file.
    • EDB.CHK: A checkpoint file that tracks the last transaction committed to the database.
    • Supports recovery in case of unexpected shutdowns or crashes.

Understanding Domain and Local Logins in Windows

1. Domain Login

  • Purpose: Allows users to authenticate and access resources within a Windows domain managed by Active Directory.
  • Login Format:
    • Using Full Domain Name: [email protected]
    • Using NETBIOS Name: DOMAIN\username
    • NETBIOS Name: A shorter, simpler version of the domain name used for compatibility with older systems.
  • Example:
    • Domain Name: example.com
    • NETBIOS Name: EXAMPLE
    • Login: EXAMPLE\username or [email protected]

2. Local Login

  • Purpose: Allows users to authenticate and access resources on the local machine, independent of any domain.
  • Login Format:
    • Using Local Machine Name: MACHINE_NAME\username
    • Using Local Login Shortcut: .\username
  • Explanation:
    • The .\ prefix forces Windows to authenticate the user against the local machine's accounts instead of domain accounts.
    • It is useful when the same username exists both locally and in the domain or when the network is unavailable.
  • Example:
    • Local Machine Name: MACHINE1
    • Login: .\username or MACHINE1\username

Use Cases

  • Domain Login: Ideal for accessing shared resources, applications, and settings configured by IT across an organization.
  • Local Login: Necessary for administrative tasks on a local machine, troubleshooting domain login issues, or when a domain is not available.

Understanding these different login methods helps ensure proper access to resources, whether on a local machine or within a domain environment.

Active Directory Functional Levels

Functional Levels determine the features and capabilities available in a domain or forest in Active Directory. They specify the minimum Windows Server version required for domain controllers.

1. Domain Functional Level (DFL)

  • Purpose: Controls features within a single domain.
  • Levels:
    • Windows 2000 to Windows Server 2022.
  • Considerations:
    • Raising the level enables new features but requires all domain controllers to use the corresponding Windows Server version.
    • Once raised, it cannot be downgraded.

2. Forest Functional Level (FFL)

  • Purpose: Controls features across all domains in a forest.
  • Levels:
    • Windows 2000 to Windows Server 2022.
  • Considerations:
    • Raising the level enables forest-wide features and requires all domains to meet the corresponding version.
    • Once raised, it cannot be downgraded.

Checking and Raising Levels

  • Check: Use Active Directory Users and Computers or PowerShell cmdlets (Get-ADDomain, Get-ADForest).
  • Raise: Use Active Directory Users and Computers or PowerShell cmdlets (Set-ADDomainMode, Set-ADForestMode).

Global Catalog in Active Directory

Purpose:

  • Facilitates Searches: Provides a searchable index of all objects across the forest.
  • Supports Logins: Essential for user logins and cross-domain authentication.

Functionality:

  • Partial Attribute Set: Contains a subset of attributes for every object in the forest.
  • Domain Controllers: At least one per domain should be a Global Catalog server.

Configuration:

  • Enable GC: In Active Directory Sites and Services, check the "Global Catalog" option for the domain controller.

Considerations:

  • Performance: GC can impact performance due to replication and indexing.
  • Availability: Ensure multiple GC servers for redundancy and efficient directory access.

On the DNS Options page, you’l see an error message stating that there’s no parent zone found and no delegation for your DNS server could be created. Ignore this message and click the “next” button, leaving all the settings at this checkpoint unchanged.

NOTE: Whenever you need to add a new forest, make sure that you are logged into the server as the local administrator of that machine. You can always add more domain controllers to your server. However, you must be a member of the domain administrators’ group to be able to do so.