Active Directory Logical Structure — Part 2


Active Directory Logical Structure – Part 2

 

 

 

 

The most basic components of logical structure of Active directory are

 

a) Leaf objects which do not have any child objects

 

b) Container objects which has child objects.

 

 

The major reason behind these objects is to manage data. The understanding of these logical components helps engineers to

to design active directory and troubleshoot AD efficiently. The logical structure consists of

 

 

Forest:

 

In Active directory Forest holds the top-level container in which it stores all the domain containers. There can be

any number of domains in a forest so any number of domain containers can be stored in Forest container. Domain containers share common

global catalog, schema , directory configuration , logical structure and two way transitive trust.

 

Note : First domain in the forest acts as root domain eg: sai.com.

 

 

Domain:

 

Domain is a container object which holds millions of objects. These objects share common database.As explained in my earlier post every domain has its own datastore, schema and database.

Domain also defines the security policies for the objects and the trust relationship

 

 

Domain Tree :

 

AD provides flexibility of creating child domains under parent domain / root domain which is called as domain tree. eg: test.sai.com

 

 

 

Organizational Unit :

 

A company has 1000 users and all these users share different privliges , administrator have tough time identifying

theh priviliges of user, so with the help of OU he can group the users with similar privilges which makes management easy.

 

OU’s are container objects which helps in arranging different types of objects under it.

 

 

Site Objects:

 

AD replication is achieved by the site objects. They fall into both container object and leaf object. These site objects are top most object to implement

AD replication. The site object stores objects that are used by KCC ( knowledge consistency checker ). Some of the well known objects are

NTDS, subnet objects, connection objects , server objects and site object ( one object per site ) .

 

 

 

 

In order to view , manage , manipulate the above objects, you can

 

a) install the AD

 

b) create a domain

 

c) manage users using Active directory users and computers MMc

 

d) Active directory domains and  trust for managing trust

 

e) Active directory schema MMC

 

Life Stages Of Any Program


Welcome back to my blog, i have kept the things with different flavours, and blogging with different technologies keep the fact that i will help most of the users world wide. I will be exploring more into windows internals but prior to that i would like to get into the basics ,i understand most of the engineers do not get a chance to really know whatz happening at the lower end of any PC.

 

I respect the documents, publications , books which explains how the computer architecture is built and the data flow, every computer is made up of several hardware and i would say combination of hardware and logic gates, every chip has trillions of gates ( logic gates ) .So for an engineer its always tough to decide the path , either electronics / computers , well if you want to really touch the core of OS you should be master of both and particularly mathematics 🙂

 

 

Finally OS ends with exe’s , dll’s , libraries, processes, threads etc.. when i learnt my first program "hello world" K&R i was curious to understand about the what happens when i click execute tab / compile tab. I wasnt keen what i typed but the latter was interesting to me.

 

 

Below program is a classic newbie pgm to start with. You get an output "hello world " after it successfully run. But every engineer should know that in order to get the output , every component of OS should work.

 

 

 

#include <stdio.h>

 

void main()

{

Printf("hello, worldn");

}

 

 

Following the process that i would encourage each one of the engineer to understand which will make them a robust programmer.

 

Stage 1 : save the program as test.c from the editor

 

stage 2 : test.c is interpreted as bits ( 0 or 1 ) and each of these bits are grouped to

              form a byte . A byte is of 8-bits. Each of these bytes represent a character

           

Stage 3 :  we follow ACSII convention / standard to represent these characters.

               ASCII standard represent each character with unique byte integer value

 

for eg the above program is represented in a file as

 

#     i     n      c     l       u      d      e      <sp>  <    s     t      d     i      o      .    h     >     n  

35   105  110   99   108   117  100   101   32      60  115  116  100  105  111  46  104  62    10  

 

Please note that after end of <stdio.h> the line is terminated by newline character "n" and this is not visible for the end users. So the above program is stored as sequential bytes and not characters.

 

Stage 4 : At the back ground this source file should be converted to appropriate machine instruction which

              then produces the output called  "exe "

 

Before programmer gets the exe , test.c will undergo different phases which are listed below

 

Preprocessor :  In this phase the preprocessor adds different programs , yes i am correct, you have added

                      stdio.h in your test.c , so during this phase preprocessor reads the contents of stdio.h and

                      adds them to the program and send the file to compiler

 

Compilation  :  Compiler accepts the output of preprocessor as input and converts the text to assembly

                      language and send the file to assembler . Will define more about compiler in my next blog

                      about lexical analysis , parsing, code generation which are building blocks of compiler.

 

Assembly     :  Assembler accepts the file from compiler and then converts the assembly instruction to

                      machine level language instructions. The assembler creates an obj file ( eg: test.o ).

                      This file is sent to linker

 

Linking         :  The main objective of linker is to link files , simple right ! , let me explain : in our program

                      we have defined printf function rather predefined function. This printf resides in precompiled

                      object file ( printf.o ) and which should be linked to our program, this is performed by linker.

                      After the linking has been done , the output we get is executable.

 

 

 test.c / test.cpp –> Preprocessor –> compiler –> assembler –> linker –> executable

 

 

Now the interesting part, every programer understands the above portion but what makes him an expert ???

When he analyzes the assembly portion of the code he understands about how the code is handled both in terms of memory and machine language.

 

Wait for more in next blog

Active Directory Logical Structure – Part 1


Active Directory Logical Structure

 

 

Understanding Active directory is just like completing your PHD program. Well I would many administrators would still have the complexity understanding the hierarchy and the placement of the logical structure of AD. So I thought of writing down about the components involved in AD logical structure as we only manipulate the logical structure.

 

            Container

                       

                        Forests

 

                                    Domains

 

                                              Organization Units

 

 

 

 

 

 All the above components are implemented as containers.

 

 

There is a important concept which I would like to emphasize. AD – Service . AD stores the information in the form of an object and then make this object available to users with help of forest and domain structures.

 

Core Components Of AD – logical Structure.

 

The placement of data from the above diagram gives administrator a flexible authentication and authorization of the network devices. Architects should view this model from security perspective with which they can think what devices need to give which authentication .

 

But the above diagram doesn’t give you the physical implementation of the Logical structure.

 

Architects / System engineers only consider about the security and just security. So planning is a vital part of their job , when you drill down the AD / using the AD to its maximum potential you would realize how best you can control devices.

 

n       File sharing

n       Logon permissions

n       Creating different departments with appropriate permissions

n       Device restrictions

n       VPN access

n       PKI

 

One has to understand and implement the above concepts to understand the robustness of AD.

 

 

App-V Basics -1


     

     Application Virtualization

 

 

 

Gone are the days where you would use CD’s to install the applications and understand where exactly the settings were getting stored , how to configure , how to manage.

Administrators had tough time installing a software onto 1000’s of clients. Microsoft has worked aggressively on this technology called App-V .

 

App-V technology is much appreciated, there is no need for administrators to visit each and every desktop to install the software, These software are installed on demand basis with the help of App-v which means all the dll’s , exe’s ini files are packaged and are installed on to the desktops when requested. Overall managing enterprise application has become easy with the use of App-v.

 

Following are the major components involved to design App-V environment

 

Application Management Server : This server act as the heart of App-V structure. This server is responsible for publishing the links, shortcuts and file type associations to the App-V client also manages  license management and upgrades

 

Application Streaming Server : This component only supports streaming and doesn’t provide any other functionality. This is useful only in Branch office scenarios where clients are only allowed to contact restricted servers. So you can  point your clients to contact the streaming server for any content.

 

Database / Data Store : SQL database which stores application related information such as Group info , records and application assignments.

 

Management Service / Web service : Any I/O operations to or from the Database is managed by this service. You can install this service on management server or on separate server.

 

MMC : Advisable to install this on same server ( Management server ) , this component helps administrators to manage App-v server . Pre-requisites MMC 3.0 and .NET 2.0 installed.

 

App-V Client : This component should be installed on the clients or on TS clients. This client communicates with the servers and manages caching, refreshing of content.

 

App-V Sequencer: This component helps to create virtual app packages in the form of OSD files

 

 

 

 

Important Considerations:

 

·        App-V service runs under Network service account .

 

·        You need to modify the ACL on the private key for TLS secured communications. Many of the administrators fail in this step and end up with tons of Certification errors ( specifically all SCHANNEL error messages )

 

·        User WinHttpCertCfg.exe to modify the certificate permissions

 

 

 Hope this info is useful !

 

                                

Black Screen Of Death


There is a high number of issues related to a new issue called as "Black Screen Of Death", where in customers / users felt that after installing November 2009 updates on windows 7 clients , the desktop gets cleared completely and produces a black screen where users are unable to perform anything and only solution is to rebuild the entire OS.
 
Microsoft has done extensive testing on high priority and found that none of their November / previous updates were the culprit which are causing this issue. They also found that the issue is caused due to a malware . This malware belongs to Donol family.
 
you can produce the below statement for the customers and educate customers
 

“The reports on the so called “Black Screens” was investigated by Microsoft and found to be inaccurate. The company which issued the report has apologized and made a full retraction. Windows 7 security updates was not the cause of the black screens. There is no fix or update necessary for this, but customers should keep their anti-virus software up-to-date as a preventative measure. So far, Microsoft is not seeing an occurrence of this particular issue in our support channels locally.

Hope this helps! 

Active Directory Basics – Part 2


                                    Active Director Basics – Part 2

 

Abstract

Engineers have to understand the major components of active directory with which their life becomes pretty easy. In the upper layer AD is very simple , but when you actually start deploying it or start troubleshooting it , you might find you are lost ! , but when you understand the core components you know where to look in exactly.

I would say Active directory heart is nothing but Data Store , because data store acts as an interface between the schema and the physical directory. It has a two way communication happening between the physical directory and the Schema.

 

 

This data store resides on every domain controller in the forest .There is an internal representation of the Data store , in other words, data store consists of sub components communicating with each other.

 

Simplified Explanation:

In very simplest form to understand the data store , it acts as an firewall which performs allows or denies for the applications. Data store does the same job

 

–It provides a way for applications to communicate to database.

–It provides a way to filter the communications

 

Implementation:

Data store is nothing but a collection of interfaces which are used to provide 2 major tasks for applications / clients

 

a)       Provide interface to communicate to Data store

b)       Provide Access to the physical database using Data store interfaces

c)       Filters the application calls made to the database for data retrieval or data commit

 

 

Interfaces In Data Store:

 

LDAP interface

 

SAM interface

 

ESE interface

 

Replication interface

 

DSA interface

 

 

 

 

Did You Know:

 

DSA (Directory system agent) is the one which does schema related activities. DSA performs the following

 

a)       Enforce the rules

b)       Checks the schema

c)       Enforce datatypes on attributes.

 

 

Example :

 

Application à Data store à database

 

Lower View

 

Application à Uses LDAP à Use DSA for access to Directory à Filters necessary API calls à ESE which communicates directly to database à Physical database.

 

From the above example you can now have a clear understanding of the data flow

 

Hope you have enjoyed this article, look for the next session

 

 

 

 

 

 

Active Directory Basics – Part 1


Active Directory Basics

 

We have to understand the directory structure to get a clear understanding of the Active Directory. Many of us are reluctant to learn AD because it’s just like a pacific ocean to swim. But when you start analyzing the building blocks of AD , you will feel relaxed and then start thinking about Active directory and its implementation.

 

 

Every organization today uses Active directory as centralized repository , all that they use AD to store their data. In a very simplest forms you need to understand ( Just remember DOS J )

 

Directory :  Place where all the data gets stored

 

Objects :    Application uses objects to store data into the directory

 

Schema :   In order to use Object , the object should be defined in the schema without

                  Which you cannot use the object to store data to directory

 

Data Flow

 

Application à Object à Schema à Directory

 

 

 

This directory is viewed as

 

a)       Logical Structure : Exposed to users as Forests and Domains

b)       Physical Structure : Implemented as database residing on each and every Domain

                                       Controller.

 

Communication to the database is not straight forward, we need to have some means to write data to the directory , so Microsoft used Active directory data store as an interface to write data to the directory. This AD Data store is made up on services and files which decide how to handle I/O operation on to the database.

 

 

Data Flow

 

 

Application à Object à AD Data Store à Database

                                                 |

                                          Files and Services