an advanced approach of active directory techniques

7/26/2019 An Advanced approach of Active Directory Techniques

1/7

International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015

ISSN: 2454-5414 www.ijitjournal.org Page 1

An Advanced approach of Active Directory TechniquesPurna Chnadra Rao [1], Venkatesh Parmi [2]

Senior Consultant [1],Consultant [2]

Research and Development

Microsoft, Hyderabad

TeluganaIndia

ABSTRACT

In this paper we have proposed a advanced new approach of active directory techniques which

is used to avoid the security loop holes of an entire organization AD. Active directory is a

concept of Microsoft Servers to maintain the entire organization which is designed with help

of Data structures Tree concept. A group of Tree we can say a forest like that a group of

Computers in an organization also called forest and a group of forest called Active directory.

Microsoft implemented the same concept and they introduced called Active directory and now

there have plenty of versions.

Keywords:-AD, NT, FSO, Domain, Forest

I. INTRODUCTION

As per Wikipedia and MSDN, Active

Directory (AD) is a directory service that

Microsoft developed for Windows domain

networks and is included in most Windows

Server operating systems as a set of

processes and services.[1][2]

An AD domain controller authenticates and

authorizes all users and computers in a

Windows domain type networkassigning

and enforcing security policies for all

computers and installing or updating

software. For example, when a user logs into

a computer that is part of a Windows

domain, Active Directory checks the

submitted password and determines whether

the user is a system administrator or normal

user.[3]

Active Directory makes use of Lightweight

Directory Access Protocol (LDAP) versions

2 and 3, Microsoft's version of Kerberos,

and DNS.

Active Directory, like many information-

technology efforts, originated out of a

democratization of design using Request for

Comments or RFCs. The Internet

Engineering Task Force (IETF), which

oversees the RFC process, has accepted

numerous RFCs initiated by widespread

participants. Active Directory incorporates

decades of communication technologies intothe overarching Active Directory concept

then makes improvements upon

them.[citation needed]

For example, Lightweight Directory Access

Protocol (LDAP), a long-standing directory

technology, underpins Active Directory.

Also X.500 directories and the

Organizational Unit preceded the Active

Directory concept that makes use of thosemethods. The LDAP concept began to

emerge even before the founding of

Microsoft in April 1975, with RFCs as early

as 1971. RFCs contributing to LDAP

include RFC 1823 (on the LDAP API,

RESEARCH ARTICLE OPEN ACCESS
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/


2/7



August 1995),[4] RFC 2307, RFC 3062, and

RFC 4533.[citation needed]

Microsoft previewed Active Directory in

1999, released it first with Windows 2000

Server edition, and revised it to extend

functionality and improve administration in

Windows Server 2003. Additional

improvements came with Windows Server

2003 R2, Windows Server 2008, and

Windows Server 2008 R2. With the release

of the last, Microsoft renamed the domain

controller role (see below) as Active

Directory Domain Services (AD DS). It is

also included in Windows Server 2012 and

Windows Server 2012 R2.

II. ACTIVE DIRECTORY SECURITY ARCHITECTURE


3/7



III. FSMO ROLE FAILURE

Some of the operations master roles are

essential for AD functionality, others can beunavailable for a while before their absence

will be noticed. Normally it is not the failure

of the role, but rather the failure of the DC

on which the role is running.

If a DC fails which is a role holder you can

seize the role on another DC, but you should

always try and transfer the role first.

Before seizing a role you need to asses the

duration of the outage of the DC which isholding the role. If it is likely to be a short

outage due to a temporary power or network

issue then you would probably want to wait

rather than seize the role.

2.1 Schema Master Failure

In most cases the loss of the schema master

will not affect network users and only affect

Admins if modifications to the schema are

required. You should however only seize

this role when the failure of the existing

holder is considered permanent.

Note: A DC whose schema master role has

been seized should never be brought back

online

2.2 Domain Naming Master Failure

Temporary loss of this role holder will not

be noticeable to network users. DomainAdmins will only notice the loss if they try

and add or remove a domain in the forest.

You should however only seize this role

when the failure of the existing holder is

considered permanent.


4/7





online

2.3 RID Master Failure

Temporary loss of this role holder will notbe noticeable to network users. Domain

Admins will only notice the loss if a domain

they are creating objects in runs out of

relative IDS (RIDs). You should however

only seize this role when the failure of the

existing holder is considered permanent.



online

2.4 PDC Emulator Master Failure

Network users will notice the loss of the

PDC emulator. If the DC with this role fails

you may need to immediately seize this role.

Only pre Windows 2000 clients and NT4

BDCs will be affected.

If you seize the role and return the original

DC to the network you can transfer the role

back.2.5 Infrastructure Master Failure

Temporary loss of this role holder will not

be noticeable to network users.

Administrators will not notice the role loss

unless they are or have recently moved or

renamed large numbers of accounts.

If you are required to seize the role do not

seize it to a DC which is a global catalogue

server unless all DCs are global catalogue

servers.

If you seize the role and return the originalDC to the network you can transfer the role

back.

In Non-AD integrated DNS, DNS saves all

the data in text format in dns file, located at

system32\dns\ZoneName.com.dns and

performs replication of data between DNS

servers with the help of Zone transfers.

However, when DNS is integrated with AD,

it saves the data in binary format in AD

database NTDS.dit. In AD database there

are multiple logical partitions which holds

specific information with a scope to

replicate at Domain or Forest level. For

integrated applications like Exchange and

DNS etc, there is some additional partition

created inside AD database. Below poster

explains points:

1) What partitions are used by DNS

2) What kind of DNS information is saved

in these Partition

3) What is the replication scope of these

DNS partitions


5/7



When DNS is installed Along with AD it is stored in domain partition. But if DNS is installed after

installing AD it is stored in configuration partition


6/7



IV. CONCLUSION

Thus, we design an efficient method to

secure highly confidential and restricted

areas in Active directory. This method willbe useful not only at present but also in

future based on the next version of Active

directory.

REFERENCE

[1]https://msdn.microsoft.com/en-

us/library/cc723503.aspx

[2]http://en.wikipedia.org/wiki/Active_

Directory

[3]http://sennovate.com/an-overview-

of-windows-active-directory/[4]http://www.ucs.cam.ac.uk/support/wi

ndows-

support/winsuptech/activedir/fsmorol

es

[5]Active Directory: Designing,

Deploying, and Running Active
http://www.ijitjournal.org/http://www.ijitjournal.org/https://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttp://www.ijitjournal.org/


7/7



Directory Paperback by Brian

Desmond, Joe Richards, Robbie

Allen

[6]Active Directory Cookbook 4ed

(Cookbooks (O'Reilly)) by Brian

Svidergol (Author), Robbie Allen

(Author)

[7]Tony Redmond's Exchange

Unwashed By Tony Redmond

an advanced approach of active directory techniques

Documents