Understating of Domain Controller

Understating of Domain Controller

August 22, 2021 Active Directory 0

Overview of ADDS

Forest: is the top-level container of Active Directory (AD) infrastructure. Can contain one or more domains. These domains are interconnected trough a transitive trust. A forest shares a single schema database. Forest consists of multiple Domains trees. The Domain trees in a forest do not form a contiguous name space however share a common schema and global catalog (GC)

Domain: is one level below AD forest. Active Directory Domain Services is Microsoft’s Directory Server. It provides authentication and authorization mechanisms as well as a framework within which other related services can be deployed.

Authentication is the process of verifying who you are. When you log on to a PC with a user name and password you are authenticating. Authentication is about who somebody is.

Authorization is the process of verifying that you have access to something. Gaining access to a resource (e.g. directory on a hard disk) because the permissions configured on it allow you access is authorization. Authorization is about what they’re allowed to do.

Domain Controller: A domain can consists one or more domain controllers (DC). A DC holds a directory DB of its perspective domain. The directory DB consists of user, objects, computer objects or more. Domain Controller is the server which holds the AD database, All AD changes get replicated to other DC and vise vase

Organizational Unit: is a container within a domain and is used to organize set of users and computers. It is helpful in implementing set of policies to a group, user or computer within a domain.

SYSVOL folder on a Windows domain controller is used to stores domain’s Group Policy settings, default profiles and logon/logoff/startup/shutdown scripts, which is available in C:\Windows\SYSVOL directory in all domain controllers within the Domain. SYSVOL folder keeps the server’s copy of the domain’s public files.  The contents such as users, group policy, etc. of the sysvol folders are replicated to all domain controllers in the domain.

All active directory data base security related information store in SYSVOL folder and it’s only created on NTFS partition.

> DFS Replication Service Protocol Process (Virtual Name Space)
> Group Policy and Script associated with GP
> HUB & SPOKE Replication

Net logon folder contain logon/logoff/startup/shutdown scripts which is inside the SYSVOL folder

(FFL/DFL) Forest/Domain Functional Level can’t revert back. Depends on level of Forest/Domain function it limit the features

Tombstoned, When an Active Directory (AD) object, such as a user or computer account, is deleted, the object actually remains in the directory for a period of time known as the tombstone lifetime. During this period, the deleted object, also known as a tombstoned object or simply a tombstone, can be restored by a process known as reanimation if there is no available system-state backup of a domain controller (DC). Default value is 60 Days.

Garbage Collection process to clear out tombstoned objects after the tombstone lifetime has expired, and it performs automatic online defragmentation of the database after garbage collection. By default, garbage collection occurs every 12 hours. When there are more than 5,000 tombstoned objects to be garbage-collected, it removes the first 5,000 tombstoned objects and then uses the CPU availability to determine if garbage collection can continue. If no other process is waiting for the CPU, garbage collection continues for up to the next 5,000 tombstoned objects whose tombstone lifetime has expired, and the CPU availability is again checked to determine if garbage collection can continue. This process continues until all the tombstoned objects whose tombstone lifetime has expired are deleted or another process needs access to the CPU.

Lingering Object is a deleted AD object that re-appears (“lingers”) on the restored domain controller (DC) in its local copy of Active Directory. This can happen if, after the backup was made, the object was deleted on another DC more than 180 days ago.

Directory Services Restore Mode (DSRM) is a special boot mode for repairing or recovering Active Directory. It is used to log on to the computer when Active Directory has failed or needs to be restored.

Active Directory: is a directory service that serves as a central location for network administration and security which is responsible for authenticating and authorizing all users and computers within a network of windows domain.

AD data base is stored in c:\windows\ntds\NTDS.DIT
Active Directory is primarily used to store directory objects like users and groups and computers printers.
Using Active Directory brings a number of advantages to your network,
Centralized user account management
Centralized policy management (group policy)
Better security management

Lightweight Directory Access Protocol (LDAP). It’s an active directory protocol ,Basically, it’s a protocol used to access data from a database. LDAP is an internet standard protocol that runs over TCP/IP. Port-389


 993 total views,  1 views today

Leave a Reply

Your email address will not be published. Required fields are marked *