an advanced approach of active directory techniques
TRANSCRIPT
-
7/26/2019 An Advanced approach of Active Directory Techniques
1/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 1
An Advanced approach of Active Directory TechniquesPurna Chnadra Rao [1], Venkatesh Parmi [2]
Senior Consultant [1],Consultant [2]
Research and Development
Microsoft, Hyderabad
TeluganaIndia
ABSTRACT
In this paper we have proposed a advanced new approach of active directory techniques which
is used to avoid the security loop holes of an entire organization AD. Active directory is a
concept of Microsoft Servers to maintain the entire organization which is designed with help
of Data structures Tree concept. A group of Tree we can say a forest like that a group of
Computers in an organization also called forest and a group of forest called Active directory.
Microsoft implemented the same concept and they introduced called Active directory and now
there have plenty of versions.
Keywords:-AD, NT, FSO, Domain, Forest
I. INTRODUCTION
As per Wikipedia and MSDN, Active
Directory (AD) is a directory service that
Microsoft developed for Windows domain
networks and is included in most Windows
Server operating systems as a set of
processes and services.[1][2]
An AD domain controller authenticates and
authorizes all users and computers in a
Windows domain type networkassigning
and enforcing security policies for all
computers and installing or updating
software. For example, when a user logs into
a computer that is part of a Windows
domain, Active Directory checks the
submitted password and determines whether
the user is a system administrator or normal
user.[3]
Active Directory makes use of Lightweight
Directory Access Protocol (LDAP) versions
2 and 3, Microsoft's version of Kerberos,
and DNS.
Active Directory, like many information-
technology efforts, originated out of a
democratization of design using Request for
Comments or RFCs. The Internet
Engineering Task Force (IETF), which
oversees the RFC process, has accepted
numerous RFCs initiated by widespread
participants. Active Directory incorporates
decades of communication technologies intothe overarching Active Directory concept
then makes improvements upon
them.[citation needed]
For example, Lightweight Directory Access
Protocol (LDAP), a long-standing directory
technology, underpins Active Directory.
Also X.500 directories and the
Organizational Unit preceded the Active
Directory concept that makes use of thosemethods. The LDAP concept began to
emerge even before the founding of
Microsoft in April 1975, with RFCs as early
as 1971. RFCs contributing to LDAP
include RFC 1823 (on the LDAP API,
RESEARCH ARTICLE OPEN ACCESS
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
2/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 2
August 1995),[4] RFC 2307, RFC 3062, and
RFC 4533.[citation needed]
Microsoft previewed Active Directory in
1999, released it first with Windows 2000
Server edition, and revised it to extend
functionality and improve administration in
Windows Server 2003. Additional
improvements came with Windows Server
2003 R2, Windows Server 2008, and
Windows Server 2008 R2. With the release
of the last, Microsoft renamed the domain
controller role (see below) as Active
Directory Domain Services (AD DS). It is
also included in Windows Server 2012 and
Windows Server 2012 R2.
II. ACTIVE DIRECTORY SECURITY ARCHITECTURE
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
3/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 3
III. FSMO ROLE FAILURE
Some of the operations master roles are
essential for AD functionality, others can beunavailable for a while before their absence
will be noticed. Normally it is not the failure
of the role, but rather the failure of the DC
on which the role is running.
If a DC fails which is a role holder you can
seize the role on another DC, but you should
always try and transfer the role first.
Before seizing a role you need to asses the
duration of the outage of the DC which isholding the role. If it is likely to be a short
outage due to a temporary power or network
issue then you would probably want to wait
rather than seize the role.
2.1 Schema Master Failure
In most cases the loss of the schema master
will not affect network users and only affect
Admins if modifications to the schema are
required. You should however only seize
this role when the failure of the existing
holder is considered permanent.
Note: A DC whose schema master role has
been seized should never be brought back
online
2.2 Domain Naming Master Failure
Temporary loss of this role holder will not
be noticeable to network users. DomainAdmins will only notice the loss if they try
and add or remove a domain in the forest.
You should however only seize this role
when the failure of the existing holder is
considered permanent.
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
4/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 4
Note: A DC whose schema master role has
been seized should never be brought back
online
2.3 RID Master Failure
Temporary loss of this role holder will notbe noticeable to network users. Domain
Admins will only notice the loss if a domain
they are creating objects in runs out of
relative IDS (RIDs). You should however
only seize this role when the failure of the
existing holder is considered permanent.
Note: A DC whose schema master role has
been seized should never be brought back
online
2.4 PDC Emulator Master Failure
Network users will notice the loss of the
PDC emulator. If the DC with this role fails
you may need to immediately seize this role.
Only pre Windows 2000 clients and NT4
BDCs will be affected.
If you seize the role and return the original
DC to the network you can transfer the role
back.2.5 Infrastructure Master Failure
Temporary loss of this role holder will not
be noticeable to network users.
Administrators will not notice the role loss
unless they are or have recently moved or
renamed large numbers of accounts.
If you are required to seize the role do not
seize it to a DC which is a global catalogue
server unless all DCs are global catalogue
servers.
If you seize the role and return the originalDC to the network you can transfer the role
back.
In Non-AD integrated DNS, DNS saves all
the data in text format in dns file, located at
system32\dns\ZoneName.com.dns and
performs replication of data between DNS
servers with the help of Zone transfers.
However, when DNS is integrated with AD,
it saves the data in binary format in AD
database NTDS.dit. In AD database there
are multiple logical partitions which holds
specific information with a scope to
replicate at Domain or Forest level. For
integrated applications like Exchange and
DNS etc, there is some additional partition
created inside AD database. Below poster
explains points:
1) What partitions are used by DNS
2) What kind of DNS information is saved
in these Partition
3) What is the replication scope of these
DNS partitions
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
5/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 5
When DNS is installed Along with AD it is stored in domain partition. But if DNS is installed after
installing AD it is stored in configuration partition
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
6/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 6
IV. CONCLUSION
Thus, we design an efficient method to
secure highly confidential and restricted
areas in Active directory. This method willbe useful not only at present but also in
future based on the next version of Active
directory.
REFERENCE
[1]https://msdn.microsoft.com/en-
us/library/cc723503.aspx
[2]http://en.wikipedia.org/wiki/Active_
Directory
[3]http://sennovate.com/an-overview-
of-windows-active-directory/[4]http://www.ucs.cam.ac.uk/support/wi
ndows-
support/winsuptech/activedir/fsmorol
es
[5]Active Directory: Designing,
Deploying, and Running Active
http://www.ijitjournal.org/http://www.ijitjournal.org/https://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttp://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://www.ucs.cam.ac.uk/support/windows-support/winsuptech/activedir/fsmoroleshttp://sennovate.com/an-overview-of-windows-active-directory/http://sennovate.com/an-overview-of-windows-active-directory/http://en.wikipedia.org/wiki/Active_Directoryhttp://en.wikipedia.org/wiki/Active_Directoryhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttps://msdn.microsoft.com/en-us/library/cc723503.aspxhttp://www.ijitjournal.org/ -
7/26/2019 An Advanced approach of Active Directory Techniques
7/7
International Journal of Information and Technology (IJIT) Volume 1 Issue 1, Mar-Apr 2015
ISSN: 2454-5414 www.ijitjournal.org Page 7
Directory Paperback by Brian
Desmond, Joe Richards, Robbie
Allen
[6]Active Directory Cookbook 4ed
(Cookbooks (O'Reilly)) by Brian
Svidergol (Author), Robbie Allen
(Author)
[7]Tony Redmond's Exchange
Unwashed By Tony Redmond
http://www.ijitjournal.org/http://www.ijitjournal.org/http://www.ijitjournal.org/