Difference between Windows 2000 and Windows NT

NT WIN 2000

1. Supports Fat 16, & NTFS 4+.0
2. Default Internet Explorer is 4.0
3. Single Master Domain Model
4. Security Accounts stored in SAM
5. Database size is 40 Mb.
6. Supports upto 40,000 Objects
FAT 16, 32, NTFS 5
Internet Explorer 5.5
Multi Master Domain Model
Security Accounts stored in ADS
Database size is 17 TB
Supports more than 1 million Objects

Limitations of NT Security
n Restricted SAM size
n Single point of failure at the primary domain controller
n Poor operational performance
n Poor replication performance
n Lack of management granularity
n Nontransitive trust relationships

Security Account Manger (SAM) Database Size

Security accounts in classic NT are stored in the Security Account Manager database, called the
SAM for short.The SAM is a flat-file database consisting of a set of Groups and a set of Users.
Computer accounts are also included in the SAM as a special form of user account. The total
number of users, computers, and groups in classic NT is limited because the SAM cannot grow
above a certain size.

Single Point of Failure

The PDC is the only server that has read/write access to the SAM in a classic NT
domain. If the PDC crashes or the telecommunications link to it goes down, you cannot
make any changes to the domain. You cannot add new users to a group or join computers to the
domain. Users can still log on via a backup domain controller (BDC) but they cannot change their
passwords. To correct this problem, an administrator must promote a BDC to PDC .

Lack of Management
A major weakness in the SAM structure is its inability to support hierarchical
management.

Nontransitive Trust Relationships

Of all the limitations in classic NT, the ugliest is the inability to link domains together
seamlessly while maintaining separate administrative roles.
Classic domains are linked by trust relationships.
Active Directory : Active Directory stores information about the resources / objects
on the entire network and make it easy for the users to locate, manage, and use these
resources.

Improvements Made by Active Directory

1. The Active Directory account database in Windows Server 2003 can hold a billion
objects. This resolves scalability concerns.

2. Multiple domain controllers can host read/write copies of Active Directory, eliminating the
problems with a single point of failure and poor operational performance.

3. A Windows 2000 server can be promoted to a domain controller and demoted back to a
member server without the need to reinstall the operating system.

4. Active Directory domains still use “trusts” that now give full, two-way access to resources and
are fully transitive between domains.

Introduction: Active Directory is made up of components that constitute its logical and physical
structure. To administer Active Directory, we must understand the purpose of these components

Logical Structure : The logical structure of Active Directory provides methods for organizing
network resources such as computers, printers, users and groups. It is made up
of objects, organizational units, domains, domain trees, and forests.

1. Objects
The object is the most basic component of the logical structure. Object classes are template for the
types of objects that can be created in Active Directory. Each object class is defined by a group of
attribute. Attributes define the possible values that can be associated with an object. Each object has a
unique combination of attribute values.

2. Organizational units
Organizational units are container objects that are used to group other objects in a manner that
supports your administrative purposes. By grouping objects by organizational unit in a logical fashion,
it becomes easier to locate and administer objects. We can also delegate the authority to administer an
organizational unit. Organizational units can be nested in other organizational units. By nesting
organizational units, we can further simplify the administration of objects.
3. Domains
Domains are the core functional units in the Active Directory logical structure. A domain is a
collection of objects that share a common directory database, security policies, and security
relationships with other domains. Domains provide the following three functions:
• Serve as an administrative boundary for objects
• Help to manage security for shared resources
• Serve as a unit of replication for objects

4. Domain Trees
Domains can be grouped together in hierarchical structures that are called trees. When a second
domain is added to a tree, it becomes a child of the tree root domain. The domain to which a child
domain is attached is called the parent domain. A child domain may in turn have its own child
domain. The name of a child domain is combined with the name of its parent domain to form its own
unique Domain Name System (DNS) name. In this manner, a tree has a contiguous namespace.

5.Forests
Forests are made up of one or more trees, although a single two-level tree is recommended for most
organizations. A two-level tree is when all child domains are made children of the forest root domain
to form one contiguous tree. The first domain in the forest is called the forest root domain, and the
name of that domain is used to refer to the forest. A forest is a complete instance of Active Directory.
By default, the information within Active Directory is shared only within the forest. In this way, the
forest is a security
boundary for the information contained in the instance of Active Directory.
Physical Structure : The physical structure of Active Directory models the physical structure of
the network, and is made up of domain controllers and sites. The physical structure of Active
Directory defines where and when replication and logon traffic occur, and is used to and manage
network traffic. The physical structure enables you to optimize network traffic by determining when
and where replication and logon traffic occur. The elements of the Active Directory physical structure
are :

1. Domain controllers Domain controller performs storage and replication functions. A domain
controller can support only one domain. A domain can have one or more domain controllers.

2. Active Directory sites Created mainly to optimize replication traffic and to enable users
to connect domain controllers by using reliable , high speed connection. A site is a group of
well-connected computers. When sites are established, domain controllers within a single site
communicate frequently. This communication minimizes the latency within the site. Latency is the
time required for a change that is made on one domain controller to be replicated on other domain
controllers. You create sites to optimize the use of bandwidth between separated domain controllers.
There can be multiple domains in a single site and single site can have multiple sites.

Note : We use Logical structure to organize the network resources and Physical structure
to manage the network traffic.

To View the Logical and Physical Sctructure of Active Directory

The logical and physical structure of Active Directory can be viewed by using tools such as Active
Directory Users and Computers, Active Directory Sites and Services, Active Directory Schema, ADSI
Edit, and Active Directory Domains and Trusts. To view the Active Directory logical and physical
structure, perform the following steps:

1.Open Active Directory Users and Computers and view the organizational
units in Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Users and Computers.
b. In the left pane, double-click Active Directory Users and computers.
c. In the left pane, double-click the domain for which you want to view the organizational units.
d. Display the Properties page for each container in the left pane and determine the object type by
using the Object class information on the Object tab.
You can also view the organizational units in Active Directory by using the
ADSI editor. The ADSI Edit snap-in is not installed by default. To install it, use the
support tools installer, Suptools.msi, which is located in the \Support\Tools
folder of the Windows Server 2003 product CD.
2. Open Active Directory Domains and Trusts to view the logical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Domains and Trusts.
b. In the left pane, expand the node that represents the forest-root domain
to view the domains that make up the logical structure of Active
Directory.

3. Open Active Directory Sites and Services and view the physical structure
of Active Directory. To do so, perform the following steps:
a. Click Start, All Programs, Administrative Tools, and then click
Active Directory Sites and Services.
b. In the left pane, expand the Sites folder.
c. Click the folder that represents the site for which you want to view a list
of servers.
d. Click the Servers folder to view a list of servers in the right pane.
What Does Active Directory Do?

1. Active Directory stores information about users, computers and network resources, and makes the
resources accessible to users and applications. It does this by providing a consistent way to name,
describe, locate, access, manage, and secure information about these resources.

2. Active Directory provides centralized control of network resources, such as servers, shared files,
and printers, and allows only authorized users to gain access to resources throughout Active Directory.

3. With Active Directory, you can centralize or delegate the administration of resources and objects as
appropriate. Administrators can manage distributed desktops, network services, and applications from
a central location by using a consistent management interface, or they can distribute administrative
tasks by
delegating control of resources to other administrators.

4. When Active Directory is installed, all resources in a Windows Server 2003 network are stored in
Active Directory as objects. These objects are organized in a secure, hierarchical logical structure.

5.The physical structure of Active Directory enables you to optimize the use of network bandwidth.
For example, the physical structure of Active Directory ensures that, when users log on to the
network, they are authenticated by the authentication authority that is nearest to the user, thus reducing
the amount of network traffic.

Schema
Active Directory Schema is the structure of the database which contains the definitions
of objects. Active Directory objects represent users, groups and network resources such as
computers and printers. All servers, domains, and sites in the network are also represented as objects.
Because Active Directory represents all network resources as objects in a distributed database, a single
administrator can centrally manage and administer these resources. There can be only one schema
for entire forest , so that all objects created in Active Directory conform to the same rules.: Two
types of definition of the objects are :- Classes and Attributes

When you create an object, the properties, or attributes, of that object store the information that
describes the object. Some of these attributes are mandatory and must be assigned value to create the
object. For example, when you create a user object, you must assign a value to the SAM Account
Name attribute. Users can locate objects throughout Active Directory by searching for specific
attributes. For example, you can search for a particular object by searching on an attribute value that
makes it unique, such as a printer name, or you can search for an object that has a combination of
attribute values, such as a printer with a location value of building 118, a floor value of 3.
Structure of Active Directory Database

All databases have a schema which is a formal definition (set of rules) which
govern the database structure and types of objects and attributes which can be
contained in the database. The schema contains a list of all classes and
attributes in the forest.

The schema keeps track of:

 Classes
 Class attributes
 Class relationships such as subclasses (Child classes that inherit attributes from
the super class) and super classes (Parent classes).
Active Directory Schema
All databases have a schema which is a formal definition (set of rules)
which govern the database structure and types of objects and attributes
which can be contained in the database. The schema contains a list of all
classes and attributes in the forest.

The schema keeps track of:

 Classes
 Class attributes
 Class relationships such as subclasses (Child classes that inherit
attributes from the super class) and super classes (Parent classes).
 Object relationships such as what objects are contained by other
objects or what objects contain other objects.

There is a class Schema object for each class in the Active Directory
database. For each object attribute in the database, there is an
attributeSchema object.

Partitions

Active Directory objects are stored in the Directory Information Tree (DIT)
which is broken into the following partitions:

 Schema partition - Defines rules for object creation and

modification for all objects in the forest. Replicated to all domain
controllers in the forest. Replicated to all domain controllers in the
forest, it is known as an enterprise partition.
 Configuration partition - Information about the forest directory
structure is defined including trees, domains, domain trust
relationships, and sites (TCP/IP subnet group). Replicated to all
domain controllers in the forest, it is known as an enterprise
partition.
 Domain partition - Has complete information about all domain
objects (Objects that are part of the domain including OUs, groups,
users and others). Replicated only to domain controllers in the same
domain.
o Partial domain directory partition - Has a list of all objects in
the directory with a partial list of attributes for each object.

The DIT holds a subset of Active Directory information and stores enough
information to start and run the Active Directory service.
Schema Container

The schema container is a special container at the top of the schema

partitionand is an object created from the directory Management Domain
(dMD). It can be viewed using the MMC "Active Directory Schema" console or
the Active Directory Services Interface (ADSI) edit utility from the installation
CDROM. The distinguished name schema container address is:

/CN=schema/CN=configuration/DC=forest root <domain_name>

Classes and attributes are stored in classSchema objects and attributeSchema

objects respectively.

attributeSchema Mandatory Attributes

These attributes provide information about attributes of another Active Directory

object.

 attributeID - Identifies the attribute with a unique value.

 attributeSyntax - Identifies the object which defines the attribute type.
 cn - A unicode string name of the attribute.
 isSingleValued - A boolean variable which when true indicates there is
only one value for the attribute. If false, the attribute can have several
values.
 LDAPDisplayName - LDAP unicode name string used to identify the
attribute.
 NTSecurityDescriptor - The object security descriptor.
 ObjectClass - Is always attributeSchema.
 OMSyntax - Identifies the object syntax specified by the open object
model.
 SchemaIDGUID - Unique global ID value of the attribute.

classSchema Mandatory Attributes

These attributes provide information about another Active Directory object.

 cn - A unicode string name of the object.

 DefaultObjectCategory - A distinguished name of where the object
belongs.
 GovernsID - A unique number identifying the class.
 LDAPDisplayName - LDAP unicode name string used to identify the
object.
 NTSecurityDescriptor - The object security descriptor.
 ObjectClass - Is always classSchema.
  ObjectClassCategory - An integer describing the object class type. The
class type is one of the following with values in "()" indicating the integer
value used to signify them:
o Abstract class (2) - A class that can't be an object, but is used to
pass attributes down to subclasses.
o Auxillary class (3) - Used to provide structural or abstract classes
with attributes
o Structural class (1) - These classes can have objects created from
them and are the class type that is contained as objects in the
directory.
o Type 88 class (0) - These classes don't have a type and they are
class types created before 1993 before class types were
established in the X.500 standard.
 SchemaIDGUID - Unique global ID value of the class.
 SubClassOf - Identifier of the class parent class.

System Attributes

These system attributes can only be changed by the Directory System Agent
(DSA) which manages the Active directory database.

 systemAuxillaryClass - Identifies the auxiliary protected classes that

compose the class.
 systemMayContain - Optional system protected class attributes.
 systemMustContain - Required system protected class attributes.
 systemPossSuperiors - Parent system protected classes.

SAM Read Only Attributes

The SAM is the Security Access Manager.

 badPasswordCount
 badPasswordTime
 creationTime
 domainReplica
 isCriticalSystemObject
 lastLogoff
 lastLogon
 LockoutTime
 modifiedCount
 ntPwdHistory
 PrimaryGroupName
 revision
 SAMAccountName
 SAMAccountType
Schema Modifications

The schema should only be modified when absolutely necessary. Control

mechanisms include:

 The schema operations master domain controller is the only controller that
the schema can be changed from.
 The Schema console must have schema modification set to enabled.
 Each schema object has permissions set through the Windows 2000
security model.

Ways to modify the schema include:

 Using an application programming interface (API).

 Lightweight Directory Interface Format (LDIF) scripts.
 LDIFDE bulk schema modification tool.
 CSVDE bulk schema update tool.

Document the following when changing the schema:

 Object issuing authority

 Object ID
 Class heirarchy
 NT security descriptor
 LDAP display name
 Common name
 Class attributes

Global Catalog
Resources in Active Directory can be shared across domains and forests. Active Directory must
therefore provide a method that makes searching for resources across domains and forests transparent
to the user. The global catalog feature of Active Directory makes such searches possible. Global
Catalog is a repository containing information which is necessary to determine the
location of any object in Active Directory. For example, if you search for all of the printers in a
forest, a global catalog server processes the query in the global catalog and then returns the results.
Without a global catalog server, this query would require a search of every domain in the forest.

GLOBAL CATALOG SERVER

Introduction
A Global Catalog is a searchable master index with data about all objects in a
forest. The schema is stored in the global catalog. Only information required to
find an object is stored in the global catalog. When the first domain controller in
the forest is established, a default catalog is created automatically on that
controller. More than one server can house the global catalog
A global catalog server is a domain controller that stores two forest-wide
partitions, schema and configuration, a read/write copy of the partition from its
own domain, and also a partial replica of all other domain partitions in the forest.
These partial replicas contain a read-only subset of the information in each
domain partition
It is a domain controller that stores a copy of queries such as user’s first name,
last name, and logon name and process them to Global Catalogue. Eg. If we
search a printer in a forest, a global catalogue server process the query in Global
catalogue and returns the result. Without a Global catalogue Server, this would
require a search in every domain in the forest. Global Catalog Server hold a
partial replica of every object in the forest.
.

Distinguished and Relative Distinguished Names

Distinguished Name : To search for and modify objects in the Active Directory database, clients use
the Lightweight Directory Access Protocol (LDAP). LDAP is a protocol for accessing on-line
directory services. LDAP is a subset of X.500, an industry standard that defines how directories
should be structured. LDAP uses information about the structure of a directory to find individual
objects, each of which has a unique name. The name that LDAP uses represents an Active Directory
object by a series of components that relate to the logical structure. This representation is called the
distinguished name of the object. The distinguished name identifies the domain where the object is
located and the complete path by which the object is reached. A distinguished name must be unique in
the Active Directory Forest.
Example of Distinguished Name
For a user named Suzan Fine in the Sales organizational unit in the Contoso.msft domain, each
element of the logical structure is represented in the following distinguished name:
CN=Suzan Fine,OU=Sales,DC=contoso,DC=msft
CN is the common name of the object in its container.
OU is the organizational unit that contains the object. There can be more than
one OU value if the object resides in a nested organizational unit.
DC is a domain component, such as .com. or .msft.. There will always be at
least two domain components, but there might be more if the domain is a child
domain. The domain components of the distinguished name are based upon the Domain
Name System (DNS).

Relative Distinguished Name:The relative distinguished name of an object uniquely identifies the
object within its container. No two objects in the same container can have exactly the same name. The
relative distinguished name is always the first component of the distinguished name, but it might not
always be a common name.
Example of a Relative Distinguished Name
Sales is the relative distinguished name of an organizational unit that is represented by the following
LDAP naming path: OU=Sales,DC=contoso,DC=msft

How Active Directory Enables a Single Sign-on ?

Active Directory enables a single sign-on, which makes the complex processes of authentication and
authorization transparent to the user. A single sign-on is made up of authentication, which verifies the
credentials of the connection attempt, and authorization, which verifies that the connection attempt is
allowed. With a single sign-on, users do not have to manage multiple sets of credentials and can
access the resources for which they are authorized without thinking about the processes that occur
behind the scenes. However, as a systems engineer, we must understand how these processes work in
order to troubleshoot the Active Directory structure.
The single sign-on process occurs as follows:
 1. The user enters credentials at a workstation to perform an interactive logon.
2. The credentials are encrypted by the client and sent to a domain controller for the client.s
domain.
3. The encrypted credentials that are sent from the client are matched against the encrypted
credentials on the domain controller. A Kerberos service, the Key Distribution Center (KDC),
resides on each domain controller and stores the encrypted user credentials. If the credentials
sent by the client match the credentials stored by the KDC, the process continues.
4. The domain controller creates a list of the domain-based groups to which the user belongs.
5. The domain controller queries the global catalog to identify the universal groups to which the
user belongs. If the domain controller has Universal group membership caching enabled, the
global catalog is not queried and the Universal group memberships are obtained from the
cache on the domain controller.
6. The KDC issues the client a ticket-granting ticket (TGT). The TGT contains the encrypted
security identifiers (SIDs) for the groups of which the user is a member.
7. The client requests access to a resource that resides on a specific server.
8. The client uses the TGT to gain access to the ticket-granting service (TGS), on the domain
controller.
9. The TGS issues a service ticket, which is also called a session ticket, for the server where the
resource resides to the client. The session ticket contains the SIDs for the user.s group
memberships.
10. The client presents the session ticket to the server where the resource resides. The Local
Security Authority (LSA) on the server uses the information in the session ticket to create an
access token.
11. The LSA compares the SIDs in the access token with the groups that are assigned permissions
in the resources discretionary access control list (DACL). If they match, the user is granted
access to the resource.
Active Directory Management
Active Directory allows administrators to manage large numbers of users, computers, printers, and
network resources from a central location by using the administrative tools that Windows server 2003
provides. Active Directory also supports decentralized administration by allowing an administrator
with the proper authority to delegate a selected set of administrative privileges to appropriate users or
groups within an organization. Active Directory provides a number of features that allow
administrators to manage resources centrally. The following describes

How Active Directory enable Centralized Administration.

1. Active Directory contains information about all objects and their attributes. The attributes
hold data that describes the resource that the directory object identifies. Because information
about all network resources is stored in Active Directory, a single administrator can centrally
manage and administer network resources.
2. Active Directory can be queried by using protocols such as LDAP. Administrators can easily
locate information about objects by searching for selected attributes of the object, using tools
that support LDAP.
3. Active Directory allows you to group objects with similar administrative and security
requirements into organizational units. Organizational units provide multiple levels of
administrative authority for both applying Group Policy settings and delegating
administrative control. This delegation of administrative authority simplifies the task of
managing these objects and allows administrators to structure Active Directory to fit their
needs.
4. Active Directory uses Group Policy to provide administrators with the ability to specify
Group Policy settings for a site, domain, or organizational unit. Active Directory then
enforces these Group Policy settings for all of the users and computers within the container.
How Active Directory Supports Decentralized Management:
Active Directory enables you to delegate administrative privileges for certain objects to appropriate
groups within an organization. This is possible because the structure of Active Directory allows you to
assign permissions and grant user rights in very specific ways. We can delegate the following types of
administrative control:
1. Assigning permissions, such as Full Control, for specific organizational units to different
domain local groups.
2. Assigning the permissions to modify specific attributes of an object in a single organizational
unit. For example, assigning the permission to change name, address, and telephone number,
and to reset passwords on a user account object.
3. Assigning the permissions to perform the same task, such as resetting passwords, in all
organizational units of a domain.

Some common GUI tools for administering Active Directory.

1. Active Directory Users and Computers A Microsoft Management Console

(MMC) hat you can use to administer and publish information in the directory.
Using Active Directory Users and Computers, you can manage user accounts,
groups, and computer accounts, add computers to a domain, manage account
policy, user rights, and audit policy.
2. Active Directory Domains and Trusts An MMC that you can use to administer
domain trusts and forest trusts, add user principal name suffixes, and change the
domain and forest functional levels.
3. Active Directory Sites and Services An MMC that you can use to administer the
replication of directory data.
4. Active Directory Schema The Active Directory Schema MMC is an Active
Directory administrative tool for managing the schema. It is not available by
default on the Administrative Tools menu, and must be added manually.
5. CSVDE Imports and exports Active Directory data by using comma-separated
format.
6. LDIFDE Can be used to create, modify, and delete Active Directory objects.
This tool can also be used to extend the Active Directory schema, export user and
group information to other applications or services, and populate Active Directory
with data from other directory services.
7. ADSI Editor The ADSI editor is an MMC snap-in that can be used to view,
create, modify and delete objects in Active Directory.ADSI provides a simple,
powerful, scriptable interface to Active Directory to enable administrators to
create reusable scripts for managing Active Directory. ADSI uses the LDAP
protocol to communicate with Active Directory.

You can create scripts by using ADSI to perform the following tasks:
1. Retrieve information about Active Directory objects
2. Add objects to Active Directory
3. Modify Active Directory object attribute values
4. Delete objects form Active Directory
5. Extend the Active Directory schema
ADS and DNS Integration
DNS domains and Active Directory domains use identical domain names for different Namespaces.
Using identical domain names enables computers in a Windows Server 2003 network to use DNS to
locate domain controllers and other computers that provide Active Directory.related services.The
integration of DNS and Active Directory is essential because a client computer in a Windows Server
2003 network must be able to locate a domain controller to allow users to log on to a domain or to use
the services provided by Active Directory. To locate a domain controller, a computer uses DNS to
locate the IP address for a computer that provides the required service within Active Directory.

Active Directory Integrated Zones

One of the benefits of integrating DNS and Active Directory is the capability to integrate DNS zones
into the Active Directory database. A zone is a portion of the domain namespace that has a logical
grouping of resource records allowing zone transfers of these records as a single unit.
Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP
addresses to host names, in a database file with the extension .dns, for each zone. Active Directory
integrated zones are primary and stub DNS zones that are stored as objects in the Active Directory
database. Zone objects can be stored in an Active Directory application partition or in an Active
Directory domain partition. If zone objects are stored in an Active Directory application partition, only
domain controllers that subscribe to the application partition will participate in the replication of this
partition. However, if zone objects are stored in an Active Directory domain partition, they will be
replicated to all Domain Controllers in the Domain

SRV RESOURCE RECORDS

For Active Directory to function properly, client computers must be able to locate servers that provide
specific services such as authenticating logon requests and searching for information in Active
Directory. To achieve this, Active Directory stores information about the location of the computers
that provide these services in DNS records known as SRV resource records.
SRV resource records link the name of a service to the DNS computer name for the computer that
offers that service. For example, an SRV record can contain information to help clients locate a
domain controller in a specific domain or forest.
When a domain controller starts, it registers SRV records, which contain information about the
services it provides, and an A resource record that contains its DNS computer name and its IP address.
A DNS client later uses this combined information to locate the requested service on the appropriate
domain controller.
All SRV records use a standard format, which consists of fields that contain the information used to
map a specific service to the computer that provides the service.

SRV records use the following format:

The following is an example of an SRV record of a computer:
_ldap._tcp.contoso.msft 600 IN SRV 0 100 389 london.contoso.msft

The SRV record indicates that the computer provides the following services:
1. Provides the LDAP service
2. Provides the LDAP service by using the TCP transport protocol
3. Registers the SRV record in the contoso.msft DNS domain
4. Has a time to live (TTL) of 600 seconds or 10 minutes.
5. Has an FQDN of london.contoso.msft
Procedure for viewing SRV records by using the DNS Snap-in

You can use either the DNS console or the NSLookup utility to view the SRV records registered by
domain controllers. To view the SRV resource records registered domain controllers by using the
DNS snap-in, perform the following steps:
1. Open DNS from the Administrative Tools menu.
2. Double-click Server (where Server is the name of your DNS server),double-click forward
Lookup Zones, and then double-click domain
3. Open the following folders in the domain folder to view the SRV resource records that are
registered:
• _msdcs
• _sites
• _tcp
• _udp

How clients locate resources ?

To log on to a Windows Server 2003 domain or to search Active Directory, a client computer must
contact a domain controller. All domain controllers register both A resource records and SRV records.
The A resource record contains the FQDN and IP address for the domain controller. The SRV record
contains the FQDN of the domain controller and the name of the service that the domain controller
provides. Therefore, the client computer can query DNS
to locate a domain controller.

The following describes the process of how a computer locates a domain controller:

1. A user logs on to the domain, initiates an Active Directory search, or performs other tasks that
require a domain controller. The Net Logon service on the client (the computer that is
locating the domain controller) starts the DsGetDcName application programming interface
(API).
2. Net Logon collects information about the client and the specific service required; this
information will be included in the DNS query. This information is specified by the following
DsGetDcName parameters:
• ComputerName. The name of the client computer.
• DomainName. The name of the DNS domain that will be queried.
• SiteName. The name of the site in which the domain controller should be located. I
if the site is not specified, the domain controller that will be located is in the site that is
closest to the site in which the client computer is located. The client also specifies that
the domain controller should be an LDAP server in the domain named by DomainName,
or a global catalog server or KDC server for the forest in which DomainName is located.
3. The Net Logon service sends a DNS query to a DNS server. This DNS query contains the
information it collected from the client and specifies the service that is required.
4. The DNS server queries the DNS zone database for SRV records that match the service
required by the client in the domain named by DomainName. T
5. he DNS server returns a list of IP addresses of domain controllers that provide the service
requested in the domain specified by the client.
6. The Net Logon service sends a datagram (an LDAP UDP message) to one or more of the
located domain controllers to determine whether it is running and whether it supports the
specified domain.
7. Each available domain controller responds to the datagram to indicate that it is currently
operational, and then returns the information to DsGetDcName. The Net Logon service
returns the information to the client from the domain controller that responds first.
 8. The client computer chooses the first domain controller that responds and meets the criteria,
and then sends the request to that domain controller. The Net Logon service caches the
domain controller information so that it is not necessary that the client computer repeat the
discovery process for subsequent requests. Caching this information also encourages the
consistent use of the same domain controller.

The purpose of SID

Windows uses a data structure known as a Security ID (SID) to identify users, computers and groups.
SIDs have two components. The first part uniquely identifies a domain; the second part uniquely
identifies a user account, computer account, or group managed by that domain. Windows uses SIDs to
identify users and groups in access control lists (ACLs) and group
memberships. When a user account is migrated to a different domain, it is assigned a new SID, which
results in the loss of group memberships based on the old account SID. SID history is an attribute on
user and group objects in Active Directory and is used to hold the previous SID of a migrated user
account. If a user account is migrated multiple times, SID history stores a list of all the SIDs the user
was assigned. SID history provides a migrated user with continuity of access to resources, until all the
necessary groups or ACLs can be updated using the new account SID.
When a Windows Server 2003 domain controller authenticates a user, it computes group memberships
using both the current user account SID, and any SIDs in SID history. If the user account has been
migrated, access to resources based on the previous account is maintained.