Active Directory Partitions and Replicas In a Forest

Active Directory Partitions and replicas form firm foundation for Active Directory Replication. For any enterprise Active Directory infrastructure, there will be 10’s to 100’s of Domain Controllers spanned across different sites supporting multiple Active Directory Domains in a Forest.

Below table lists Active Directory Partitions and its roles.

 

Serial Number	Active Directory Partition	Forest Wide	Domain Wide	What does it store	Replication
1	Configuration Partition	Yes. only one Configuration partition per Forest		Store information about Sites, services , extended permissions etc..	Replicate across all Domain controllers in the Forest
2	Schema Partition	Yes. only one Schema partition per Forest		Schema definitions, classes , attribute definitons of all AD Objects	Replicate across all Domain controllers in the Forest
3	Domain Partition		Yes. One Per Domain	Stores user objects, Computer objects , Organizational Units, Groups etc..	Replicated only to Domain controllers within Domain
4	Domain Partition (Global Catalog)		Yes. One Per Domain	Stores partial set of attributes from different directory partitions ( domains)	Replicated across all Domain controllers in the Forest
5	Application Partition	Yes. Any number of Application Partitions		Stores application specific data	Replicated across specific Domain Controllers in the Forest

 

 
With the information above, we will do a little math on a conceptual Organization which is spread across different sites and having two Active Directory Domains in a AD Forest.

Solution Architecture Diagram 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Active Directory Replica Chart

Domain	AD Sites	Domain Controller	Configuration Partition	Schema Partition	Domain Partition A	Domain Partition B
Domain A	Primary Site	Global Catalog PS	Full Replica	Full Replica	Full Replica	Partial Replica
Domain A	Primary Site	Domain Controller 1 PS	Full Replica	Full Replica	Full Replica
Domain A	Primary Site	Domain Controller 2 PS	Full Replica	Full Replica	Full Replica
Domain A	Branch Site 1	Global Catalog BS1	Full Replica	Full Replica	Full Replica	Partial Replica
Domain A	Branch Site 1	Domain Contorller BS1	Full Replica	Full Replica	Full Replica
Domain A	Branch Site 2	Global Catalog BS2	Full Replica	Full Replica	Full Replica	Partial Replica
Domain A	Branch Site 2	Domain Controller BS2	Full Replica	Full Replica	Full Replica
Domain B	Primary Site	Global Catalog PS	Full Replica	Full Replica	Partial Replica	Full Replica
Domain B	Primary Site	Domain Controller PS	Full Replica	Full Replica		Full Replica
Domain B	Branch Site 1	Global Catalog BS1	Full Replica	Full Replica	Partial Replica	Full Replica
Domain B	Branch Site 1	Domain Contorller BS1	Full Replica	Full Replica		Full Replica
Domain B	Branch Site 2	Global Catalog BS1	Full Replica	Full Replica	Partial Replica	Full Replica
Domain B	Branch Site 2	Domain Contorller BS1	Full Replica	Full Replica		Full Replica

 

 

 

 

 

Active Directory Directory System Agent

The directory system agent (DSA) is a collection of services and processes that run on each Windows 2000 Server and later domain controller and provides access to the data store. The data store is the physical store of directory data located on a hard disk. In Active Directory Domain Services, the DSA is part of the local system authority (LSA) subsystem. Clients access the directory using one of the following mechanisms supported by the DSA. This document provides details about Active Directory Directory System Agent implemenation and practical view of the component. DSA is the primary component for Active Directory LDAP operations and helps Administrators to understand the implementation aspects of the component.

 

Please follow the below link to download the document , hope it helps !

http://gallery.technet.microsoft.com/Active-Directory-Directory-cca49b03

Windows Security Support Provider Architecture

The SSPI in Windows provides a mechanism that carries authentication tokens over the existing communication channel between the client computer and server. When two computers or devices need to be authenticated so that they can communicate securely, the requests for authentication are routed to the SSPI, which completes the authentication process, regardless of the network protocol currently in use.

 

Windows Security Support Provider Architecture

Running Wireshark on Windows 8.1 Enterprise

You might get excited to run the greatest Network Sniffer utility on Windows 8.1 before you hit a show stopper. The show stopper is huge and possible bug or un support feature in Windows 8.1 of not being able to hook to Network Interface.

 

The installation of Wireshark goes smooth on Windows 8.1 , when you try to associate Network Adapter , you will be presented with the error message

“There are no interfaces on which a capture can be done” and you might try the well known troubleshooting article http://wiki.wireshark.org/CaptureSetup/CapturePrivileges

but you soon realize , you have executed the executable under Administrator privileges , but still  you are unable to associate Network Adapter.

 

Issue: The issue lies with Winpcap.exe component which is currently unsupported on Windows 8.1

File Version: Wireshark 1.12.0 and WinPcap 4.1.3

Resolution: Assuming the fact that, Administrator has already installed Wireshark, follow the below steps

 

Step1: Uninstall Winpcap.exe from C:\Program Files (x86)\Winpcap\uninstall.exe

Step2: Navigate to C:\Program Files\Wireshark\winpcap.exe and set the Compatibility level to run under Windows 7 as shown below

Step3: Run the WinPcap executable. Upon successful installation, restart Wireshark and Administrator will be able to bind the Network adapter successfully.

 

If its a new installation on Windows 8.1, Administrator can set the compatibility level for WinPcap and run the file during installation.

 

LDIFDE Export User from OU Location

Description:

One of the tricky situation of an Active Directory Administrator is User Management. Often they are challenged by the scenarios to extract user info , export user data from an OU to other or export User attributes from one Active Directory domain to other. Below sript is targetted to extract user information from an OU.

Export Single User Active Directory Attribute.

ldifde -f UserAttribute.ldf -s <Source DC FQDN> -d “CN=Standard Worker,OU=Research,DC=Innovative,DC=com” -p subtree -r “(&(objectCategory=person)(objectClass=User)(givenname=*))” -o “badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType”

The above script dumps Standard Worker attributes to UserAttribute.ldf. Before exporting the .ldf, Administrators has to perform the following

a) Remove the legacy domain DN and replace with target domain DN . In our example DC=innovative, dc=com  should be change to reflect DC=target, dc=com

b)Remove userAccountControl attribute from the export ( userattribute.ldf)

c) Remove Lastlogontimestamp attribute from the export ( userattribute.ldf)

d) Modify the OU path ( if required ) to reflect the user target OU.

Import the dump using

ldifde -i -f <file path> -s <destination AD FDQN>

Windows 8.1 Audit Policy – Audit Account Logon Events

I had published  another interesting article in TechNet about Audit account logons events with examples.

Summary

This article will describe about Audit Account Logon Events in Windows 8.1 and procedure to analyze event logs for Logon events.
Applies to: Windows 8.1

Details:

The following article is applicable to Windows 8.1 PC configured in Workgroup mode. The procedure would change when Windows 8.1 is configured in Active Directory Domain.

Article Link:

http://answers.microsoft.com/en-us/windows/wiki/windowsrt_1_pr-security/windows-81-audit-policy-audit-account-logon-events/6f2bbcf7-f342-4f4b-a6fa-3da929a829fb

Manage User Accounts With Advance User Accounts Control Panel [Netplwiz]

I have published a two part article on Managing User accounts using Advance User accounts control panel on Windows 8.1. This article would give pictorial representation of the examples for managing User accounts. The example demonstrated is on Windows 8.1 configured in Workgroup mode.

 

Links:

Part1:

http://answers.microsoft.com/en-us/windows/wiki/windows8_1_pr-security/manage-user-accounts-with-advance-user-accounts/8a274b32-0a56-4198-819f-108158cb8080

 

Part2:

http://answers.microsoft.com/en-us/windows/wiki/windows8_1_pr-security/manage-user-accounts-with-advance-user-accounts/cc0df5ee-3be5-436a-9076-c8a100518d5b

 

 

-33.867487 151.206990

Active Directory and DNS Design Implementation

Solution Description:
CLT will be hosting their infrastructure on Microsoft Hyper-v virtualization stack. The virtual infrastructure servers will host Microsoft Exchange Server, Microsoft Active Directory, Microsoft System Center Orchestrator, File Server, CLT Application Servers, and Microsoft SQL Servers etc.
CLT has 3 Production VLANs and 1 Client VLAN configured on Cisco hardware, each VLAN is configured on Cisco switches 3750 series, a dedicated patch panel separates Management switches and Clients / Servers. A Fabric interconnect provides management interface which is layered between Layer 3 switch and Cisco UCS Blade servers.
Each of the VLAN has mix of Unix and Microsoft Servers. Most Microsoft servers are virtualized and staged on Microsoft Hyper-v with appropriate VLAN tags configured for communication between servers and Storage arrays.
CLT is engaging SKV, a Microsoft Premier Consulting firm to perform DNS Designing and Configuration which involves configuring DNS servers in three Active Directory Domains and establish communication across the DNS servers.

 

 

Detail Design Document is attached below

Active Directory and DNS Design

 

Restructuring DNS Infrastructure

Solution Description:

HYDRA DNS infrastructure has potential security issues which provide external entities to gain control over the infrastructure and access the application data or the servers. AVA performed critical analysis of HYDRA infrastructure and produced the report which requires infrastructure should be redesigned.

HYDRA organization hosts their infrastructure in New South Wales. There are 2 major sites connected with high speed networks, the infrastructure is hosted on Microsoft infrastructure servers. The Headquarters is in Sydney followed by Secondary site in Melbourne.

HYDRA existing Microsoft infrastructure is operational on Windows Server 2008 R2 with single Active Directory Forest and having multiple domain controllers configured across the physical sites. HYDRA existing environment has critical Security issues with respect to their Domain Naming System and require redesigning their Domain Naming System and ensure HYDRA security policies are met. HYDRA is engaging AVA, a Microsoft Premier Consulting firm to perform the DNS restructuring which involves placing the DNS servers in DMZ zone and route the internal DNZ server requests to DMZ DNS server instead of public ISP servers.

 

Detailed design can be found from the below link

 

Download Document:

Restructuring DNS Infrastructure

 

Domain Restructuring – Designing RODC

Introduction:

This document will describe design decision to implement Read Only Domain Controller in the existing Active Directory Forest. The infrastructure is assumed to have the fully operational Active Directory forest which is hosted on Microsoft Hybrid cloud infrastructure.

 

 

For complete solution , please download the file below

Download File:

Domain Restructuring-RODC Placement