VNUHCM UNIVERSITY OF SCIENCE

FACULTY OF ELECTRONICS TELECOMMUNICATIONS

DEPARTMENT OF TELECOMMUNICATIONS NETWORKS

COURSE
NETWORK TECHNOLOGY

Chapter 1 Windows Domain

ACTIVE DIRECTORY
01
Editor: Nguyen Viet Ha, Ph.D.

September 17, 2024

Lecturer: Nguyen Minh Tri, Ph.D. Email: ngmtri@hcmus.edu.vn 2

Workgroup Workgroup

A peer-to-peer group of computers that share resources. As small as two computers, or it can scale up to be quite large.

Small pool of systems ideally 15 or less. 200 systems.

Decentralized in every way.
o May have a central server using to consume various services. Self-authentication and self-authorization
for access to resources.

o Or share data from individual workstations.

Overload Weak
3/74
/50 4/74
/50
 Workgroup Workgroup

Authentication Authorization
When connecting to a shared resource on a computer, you are first Checks the permissions of the authenticated user and controls
prompted to supply a valid username and password on that access to functions based on the roles that are assigned to the user.
computer that has permissions to access the resource.

5/74
/50 6/74
/50

Workgroup Workgroup

The authentication process for the user log-in SAM objects include the following:
is at the local computer.
SAM_ALIAS: A local group

SAM_GROUP: A group that is not a local group (e.g., domain group)

Windows stores user accounts and security descriptors in a database
file called Security Account Manager (SAM). SAM_USER: A user account

It authenticates local user logons. SAM_DOMAIN: A domain

The SAM database resides in the Windows registry.
SAM_SERVER: A computer account
(C:\WINDOWS\system32\config)

Available on Windows XP, Vista, 7, 8.1, 10, and 11.

7/74
/50 8/74
/50
 Workgroup Workgroup

Advantages: Disadvantages:
Very simple to manage. Low security.
o Passwords may not be changed very often.
Simply configure a resource for sharing and define who If they are changed, a user may update his password on a few
you want to share that resource with because systems but not on all of them, and then end up out of sync.
everything is set locally.

Less scalability.
Inexpensive option because you need multiple
servers to support a workgroup.

9/74
/50 10/74
/50

Domain Domain

A logical grouping of computers that authenticate Once authenticated, the user receives a token that follows them
to a central database of users stored on special around the network and automatically proves their identity to other
servers called domain controllers. domain-joined servers and clients.
Allow to access resources that specifically grant them access.
When users log into a computer that is joined
to a domain, their usernames and passwords
Only need to authenticate once to a
are authenticated on the nearest domain
domain controller to prove their identity
controller.
to all domain members, this feature is
called single sign-on.

11/74
/50 12/74
/50
 Domain Domain

The software components that provide for authentication functionality Advantage Disadvantage
are called Active Directory. Centralization Complex
Contains many other services and components to centrally manage
Manageability High level of administration
and secure the computers that are joined to the domain.
Scalability High-performance devices (server,
o Group Policy can also be used to configure operating system
Tight Security router, switch)
settings, security, and software for different computers and users
Single-Sign-On Expensive
in the domain.
o Active directory Certificate Services can be used to
automate the configuration of deployment of encryption
certificates to domain computers and users.
13/74
/50 14/74
/50

Active Directory

A directory service that stores user/computer accounts, applications,

printers, shared folders, group policies, and all kinds of records.
The main Active Directory service is Active Directory Domain
Services (AD DS).

2 Active Directory o Provide centralized authentication and support single sign-on to

computers on the network that are joined to an Active Directory
domain.

15 16/74
/50
 Active Directory Active Directory

AD DS consists NTDS.DIT (New Technology Directory Service. Logically separated into the following partitions:
Directory Information Tree) file (%SystemRoot%\NTDS\Ntds.dit) Schema Partition: contains the definition of objects and rules for

A database that stores all Active Directory data, including their manipulation and creation in an active directory.

information about user objects, groups and group membership as Configuration Partition: contains the forest-wide active directory

well as password hashes for domain users. topology including DCs, sites and service.
Domain Partition: contain information about users, groups,
computers and OUs.
Application Partition: stores information about applications in an
AD. Suppose AD integrated DNS zones information is stored in this
partition.
17/74
/50 18/74
/50

Active Directory

Each domain controller (DC) has After the domain controller validates your user name and password, it
a centralized copy of the Active issues your computer an encrypted token that lists:
Directory database. Domain user account.
Domain group accounts of which you are a member.

Tokens can only be decrypted by computers that participate in the

same Active Directory domain.
Destroyed when you log out of your system.

19 20/74
/50
 Active Directory Active Directory

When you access a shared resource on another computer in domain, AD DS is composed of both logical and physical components
your token is automatically sent with the request to the target computer
to verify your identity.

You are then granted or denied access to the resource according to

the permissions assigned to your domain user and group accounts
listed within the ACL (Access Control List).

21/74
/50 22/74
/50

Active Directory Objects

An object is the most basic component

in the logical structure of AD defined
within the Active Directory database.

3 Active Directory Structure

The Active Directory schema stores a
list of all available object types (called
classes, e.g., user) and their associated
properties (called attributes).
23 24/74
/50
 Active Directory Objects Active Directory Objects

Leaf objects: represent a user account, group account, computer Domain (or Active Directory domain): used to group and manage
account, network resources published to the Active Directory database objects.
e.g., (shared printers). Creates a management boundary.
Given a unique DNS domain name, such as domain1.com.
Container objects: used to group leaf objects for ease of
Each domain object often represents a separate business unit within
administration and the application of Group Policy. There are three main
your organization and can contain OUs as well as leaf objects.
container:
Domains
Organizational units (OUs)
Sites
25/74
/50 26/74
/50

Active Directory Objects Active Directory Objects

Organizational Unit (OU): contains leaf objects or other OUs (called Site: represent physical locations within your organization.
child OUs). Each physical location contains a LAN that communicates with other
physical locations over an WAN/Internet connection.

The OU structure you create By representing each physical location with a site object, you can

for each domain should create settings that control the replication of Active Directory

reflect the structure information across the Internet.

within that particular

business unit.

27/74
/50 28/74
/50
 Active Directory Forests and Trees Active Directory Forests and Trees

Domains are often used to represent a single business unit within an Forest: a collection of Active Directory domains that share a schema
organization. => suitable for smaller organizations. and some security principals.

The vast majority of organizations in the world have a single forest

domain.
Larger organizations often have multiple business units, and each
business unit may need to access resources within other business units. Multiple domain forests are generally used by larger geographically
dispersed organizations.

Active Directory forests are used to provide for multiple domains within
the same organization.

29/74
/50 30/74
/50

Active Directory Forests and Trees Active Directory Forests and Trees

When install the first domain controller within the first domain in an Trees: a collection of one or more domains that share a common
namespace.
organization, a forest is created with the same name as this first Ex: domain2.com, hcm.domain2.com, and hn.domain2.com
domain. domains share the same core domain name, we refer to them as the
domain2.com tree.
The first domain in a forest is called the forest root domain.
The domain2.com domain is called the parent domain within the tree,
and the hcm.domain2.com and hn.domain2.com domains are called
domain1.com domain2.com child domains.
(forest root domain)

The domain1.com domain is also a tree but without child domains.

hcm.domain2.com hn.domain2.com

The first domain in a tree is called the tree root domain.

domain1.com FOREST
31/74
/50 32/74
/50
 Forest Tree
Root Root
HCM.com HN.com
Domain Domain
Tree
Root
Domain
Q1.HCM.com Q5.HCM.com BD.HN.com HK.HN.com

Child
Domain
4 Active Directory Trusts

P1.Q1.HCM.com P2.Q5.HCM.com P1.BD.HN.com P2.HK.HN.com

TREE DOMAIN TREE DOMAIN

FOREST DOMAIN 33 34

Active Directory Trusts Active Directory Trusts

Small organizations often may have Trust Flow:
only one domain, but larger Transitive trust: Domain 1 trusts Domain 2, and Domain 2 trusts
organizations will end up with Domain 3 => Domain 1 will also trust Domain 3.
multiple domains.
Nontransitive trust: Domain 1 trusts Domain 2, and Domain 2
trusts Domain 3; however, Domain 1 does not trust Domain 3.

One-way trust: establishes trust in one direction only. Domain 1

trusts Domain 2, but Domain 2 does not trust Domain 1.

To simplify administration and the user experience, you can set up

trusts between domains so that an authenticated user in one domain Two-way trust: bidirectional trust relationship. If Domain 1 trusts
can access resources in another domain without having to authenticate Domain 2, then Domain 2 also trusts Domain 1
with a separate set of credentials.
35/74
/50 36/74
/50
 Active Directory Trusts Active Directory Trusts
AD DS Trust Types: AD DS Trust Types:
Parent-Child Trust: trust relationship automatically created and Tree-Root Trust: trust relationship automatically created and
establishes a relationship between a parent domain and a child establishes a relationship between the forest root domain and a new
domain. tree.
transitive and they can be created as two-way trusts. They can be transitive and created as two-way trusts.

Tree Root trust

domain1.com domain1.com
domain2.com
Parent-Child Parent-Child Parent-Child Parent-Child
trust trust trust trust Parent-Child
trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com

37 domain1.com FOREST 38

Active Directory Trusts Active Directory Trusts

AD DS Trust Types: AD DS Trust Types:
Shortcut trust: are used on Windows Server domains that reside in Realm trust: allows to create a trust between a Windows Server
the same forest, where there is a need to optimize the authentication domain and a non-Windows (Linux, Unix, or MacOS Server) Kerberos
process (e.g., a user on Domain 1 frequently needs to authenticate realm.
to Domain 2). They can be transitive or nontransitive and created as one-way or
They can be transitive and created as one-way or two-way trusts. two-way trusts.
Tree Root trust Tree Root trust
domain1.com domain1.com Realm trust UNIX
Shortcut trust domain2.com Shortcut trust domain2.com Kerberos
Parent-Child Parent-Child V5 Realm
trust trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com

c.domain2.com c.domain2.com

domain1.com FOREST 39 domain1.com FOREST 40

 Active Directory Trusts Active Directory Trusts
AD DS Trust Types: AD DS Trust Types:
External trust: External trusts connect a Windows Server domain Forest trust: Forest trusts create a trust relationship between two
in one forest to another Windows Server domain (Windows NT 4.0 Windows Server forests.
and non-Windows Kerberos realms) in a different forest. transitive and can be established as one-way or two-way
nontransitive and created as one-way or two-way trusts. trusts.

Tree Root trust Tree Root trust Forest trust

domain1.com domain1.com
domain2.com domain3.net domain2.com domain3.net
Shortcut trust Shortcut trust
Parent-Child Parent-Child
trust trust

External trust External trust

a.domain1.com b.domain1.com a.domain1.com b.domain1.com
c.domain2.com a.domain3.net b.domain3.net c.domain2.com a.domain3.net b.domain3.net

domain1.com FOREST domain3.net FOREST 41 domain1.com FOREST domain3.net FOREST 42

Global Catalog
A single forest can contain an unlimited number of domains.
Each domain can contain an unlimited number of objects.

o Need the optimal way to locate objects quickly within different

domains.

5 Global Catalog

43 44/74
/50
 Global Catalog Global Catalog
Global Catalog (GC): The GC allows users to quickly find objects
Allows users and applications to find objects in an Active Directory without knowing what domain holds them
domain tree, given one or more attributes of the target object. without requiring a contiguous extended
namespace in the enterprise.
Holds a replica of every object in the directory (in naming context)
and a small number of their attributes:
o Most frequently used in search operations.
(i.e., a user's first and last names or login names)
o Required to locate a full replica of the object.
For example, when assigning permissions
on a resource, the interface you use will
Stored on at least one domain controller in the forest. allow you to select users and groups
The default is the first Domain Controller created in the Forest. within other domains in the forest from a
Can config in other Domain Controller to load balancing. list that is provided by the GC.
45/74
/50 46

Global Catalog Global Catalog

For user account objects, the global catalog stores a unique name The GC is updated when objects are added or removed within any
that users can use to log into their domain from any computer in the domain in the forest.
forest. These updates must be replicated to all other domain controllers that
hold a copy of the GC.
User Principle Name (UPN): username@domainname.
o Preferred to as User logon name
o Unique in the forest.

Require when logging into a computer as a user account within another

domain in the forest.
GC is contacted to verify the UPN and locate a domain controller that
can complete the authentication process.
47/74
/50 48/74
/50
 Global Catalog Global Catalog
In site environment, In site environment,
Smaller branch offices with low capacity servers, which cannot
handle additional load of hosting a GC Enable Universal Group Membership Caching (UGMC) on sites to
hold a copy of the global catalog to provide fast authentication.
GC replication may congest the Internet bandwidth in locations that
have a slower Internet connection. o Domain controllers must contact a remote global catalog the first
time each user authenticates to the domain in order to verify their
Solution: Deploy domain universal group memberships and cached on the DC.
controllers, which only store
universal group membership o The subsequent authentication requests use the universal group
information locally. membership information for the user stored in the cache.
Congest Eliminating the need to contact a remote global catalog.

49/74
/50 50/74
/50

Authentication Protocols
NT LAN Manager (NTLM):
Current version: 35.0 (4/29/2022)

Used for authentication between clients and servers.

o Authorization information:

6 Authentication Process
Group memberships.
Interactive logon information.
Message integrity.

Replaced by Kerberos.

51 52/74
/50
 Authentication Protocols Authentication Protocols
Kerberos Network Authentication Service (V5) protocol Kerberos Network Authentication Service (V5) protocol
(Kerberos V5): (Kerberos V5):
Current version: Version 5, Release 1.20 (26 May 2022)
Replaces NTLM in AD.
Used for authentication between clients and servers in DC (default).
o Authorization information: However, NTLM can be used when the Kerberos do not work.
Group memberships o One of the machines is not Kerberos-capable.
Interactive logon information o The server is not joined to a domain.
Message integrity o The Kerberos configuration is not set up correctly.
o The implementation chooses to directly use NLMP (NT LAN
Support Single Sign-On
Manager (NTLM) Authentication Protocol.).
High security.

53/74
/50 54/74
/50

KDC: Key Distribution Center KDC: Key Distribution Center

Authentication Process TGT: Ticket-Granting Ticket Authentication Process TGT: Ticket-Granting Ticket

5. The domain controller queries the

global catalog to identify the universal
groups to which the user belongs.
2. The credentials are
encrypted by the client 6. The KDC issues the client a 4. The domain controller
and sent to a domain ticket-granting ticket (TGT). creates a list of the
controller. domain-based groups to
which the user belongs.

3. The encrypted credentials are matched against

the encrypted credentials on the domain controller.

1. The user enters credentials at a workstation to perform an interactive logon.

55/74
/50 56/74
/50
 KDC: Key Distribution Center KDC: Key Distribution Center
Authentication Process TGT: Ticket-Granting Ticket Authentication Process TGT: Ticket-Granting Ticket
9. The TGS issues a service ticket (session ticket) for
the server where the resource resides to the client.
7. The client requests access
to a resource that resides on a The session ticket contains the SIDs for the users
specific server. group memberships.

8. The client uses the TGT

to gain access to the ticket-
granting service (TGS) on
the domain controller.
57/74
/50 58/74
/50

KDC: Key Distribution Center KDC: Key Distribution Center

Authentication Process TGT: Ticket-Granting Ticket Authentication Process TGT: Ticket-Granting Ticket

10. The client presents the session ticket to the server 11. The LSA compares the SIDs in the access token with the groups that are
where the resource resides. assigned permissions in the resources discretionary access control list (DACL). If
they match, the user is granted access to the resource.
The Local Security Authority (LSA) on the server uses
the information in the session ticket to create an access
token.

59/74
/50 60/74
/50
 Multi-master model
Active Directory is the central repository to store all objects in an
enterprise and their respective attributes.
It's a hierarchical, multi-master enabled database that can store
millions of objects.
Changes to the database can be processed at any domain controller
Flexible Single Master Operations (DC) in the enterprise.
7 (FSMO) Role
Possibility of conflicts that can potentially
lead to problems once the data is replicated
to the rest of the enterprise.

61 62/74
/50

FSMO Role Single-master model

Need a conflict resolution algorithm. To prevent conflicting updates, the Active Directory performs updates to
Which changes were written last, which is the last writer wins. certain objects in a single-master fashion.
The changes in all other DCs are discarded. Only one DC in the entire directory is allowed to process updates.

Active Directory includes multiple roles, and the ability to transfer roles
However, there are times when conflicts are too difficult to resolve
to any DC in the enterprise.
using the last writer wins approach.
In such cases, it's best to prevent the conflict from occurring rather
than to try to resolve it after the fact. Five (Flexible Single Master Operations) FSMO roles:

For certain types of changes, Windows

incorporates methods to prevent
conflicting Active Directory updates
from occurring.
63/74
/50 64/74
/50
 FSMO Roles FSMO Roles
Schema master Schema master
Manages the read-write copy of your Active Directory schema. Only one DC can process updates to the AD schema.
o The AD Schema defines all the attributes things like employee o Once the Schema update is complete, it's replicated from the
ID, phone number, email address, and login name that you can schema master to all other DCs in the directory.
apply to an object in your AD database.
There's only one schema
master per forest.
o Default: Primary DC (PDC)
of the Forest Root Domain.

65/74
/50 66/74
/50

FSMO Roles FSMO Roles

Domain naming Relative Identifier (RID) master
Manages the forest-wide domain name space of the directory. Allocating Relative Identifier (RID) pools to DCs in its domain.
Only one DC can add or remove domains and application o When a DC creates a security principal object (e.g., user or
directory partitions from the directory. group), it attaches a unique SID to the object, consists of:
A domain SID that's the same
There's only one Domain for all SIDs created in a domain.
naming per forest.
A RID that's unique for each
o Default: Primary DC (PDC) security principal SID created in
of the Forest Root Domain. a domain.

Moving objects from one domain to

another within a forest.
There is one RID Master in each domain in an Active Directory forest
67/74
/50 68/74
/50
 FSMO Roles FSMO Roles
Primary Domain Controller (PDC) emulator Infrastructure master
Controls authentication within a domain. Updates an object's SID and Distinguished Name (DN) in a cross-
o Responds to authentication requests, domain object reference.
changes passwords, manages Group When an object in one domain is referenced by another object in
Policy Objects, account lockout. another domain, it represents the reference by:

Synchronize time in an enterprise. o The Globally Unique Identifiers

(GUID).
Backward compatibility. o The SID (for references to security
o Performs all of the functionality that a Windows NT 4.0 Server- principals).
based PDC or earlier PDC performs for Windows NT 4.0-based or o The DN of the object being
earlier clients. referenced.
There is one in each domain in an
There is one in each domain in an Active Directory forest Active Directory forest.
69/74
/50 70/74
/50

FSMO Roles FSMO Roles

Infrastructure master Infrastructure master

Review the Globally Unique Identifiers (GUID) Review the Distinguished Name (DN):
o 128-bit number to uniquely identify specific components, o Unique in the Forest.
hardware, software, files, user accounts, database entries and
other items. o Includes enough information to locate a replica of the partition
o Unique not only in the enterprise but also across the world. that holds the object.
o Active Directory uses GUIDs internally to identify objects.
Is a sequence of relative distinguished names (RDN)
o GUID would not changed but SID could sometimes changed. connected by commas.

o The reason for using SIDs not GUIDs, is for backward

compatibility. Ex: Windows NT uses SIDs to identify users and
groups in ACLs on resources.
71/74
/50 72/74
/50
 FSMO Roles
THANK YOU FOR YOUR ATTENTION
Infrastructure master

Review the Distinguished Name (DN):

An RDN is an attribute with an
associated value in the form
attribute=value.

Ex: Nguyen Minh Tri, Ph.D.

CN=Jeff Smith,OU=Sales,DC=Fabrikam,DC=COM Department of Telecommunications and Networks
Faculty of Electronics and Communications
CN=Karen Berge,CN=admin,DC=corp,DC=Fabrikam,DC=COM University of Science, Vietnam National University, Ho Chi Minh City
Email: ngmtri@hcmus.edu.vn
73/74
/50