Windows.NET Beta 3 Active Directory New Features

Windows.NET Beta 3 Active Directory New Features Wolfgang Werner Compaq Decus Bonn 2002 Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 1

Install Replica from Media Problem: Installing a Domain Controller at a site with slow network connection Windows 2000 replicates a complete copy of the Active Directory database and possibly the Global Catalog over the network 1 Install Replica from Media Windows.NET Server allows loading the Active Directory database from a backup of an existing Domain Controller or Global Catalog server Backup the system state of an existing DC Restore system state on an alternate location on target server http://www.decus.de 2

Install Replica from Media Run DCPROMO in Advanced Mode DCPROMO /ADV Install Replica from Media Network connectivity still required for up-to-date information Changes in the AD databases and SYSVOL folder updates are replicated over the network Restrictions The backup cannot be older than the tombstone lifetime (default 60 days) Application directory partitions will not be restored http://www.decus.de 3

Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson Domain Controller Rename Windows 2000 a domain controller (DC) can't be renamed In Windows.NET DCs can be renamed without being demoted first New name is automatically updated to DNS and Active Directory http://www.decus.de 4

Domain Controller Rename No Explorer like features Procedure: Add a new name Wait for the new name to propagate through the network Remove the old name Domain Controller Rename Add new name NETDOM COMPUTERNAME oldname /ADD:newname Wait for replication of DNS host (A) records serviceprincipalname attribute to all DCs in the domain and all Global Catalog servers in the forest http://www.decus.de 5

Domain Controller Rename Update computer account in AD NETDOM COMPUTERNAME oldname /MAKEPRIMARY:newname Reboot Wait for the replication of the DNS Locator resource records Defined in system32\config\netlogon.dns Domain Controller Rename Remove old name NETDOM COMPUTEENAME newname /REMOVE:oldname Removes old DNS host (A) records Removes the old name in Active Directory Change "Computer Name" in System Control Panel http://www.decus.de 6

Domain Controller Rename Moving DCs between domains was planned but will not be implemented Certification Authorities can not be renamed DNS and Active Directory replication latency may cause a temporary inavailability Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 7

Renaming Domains Change the DNS and NetBIOS names of the forest-root domain any tree-root domains any parent and child domains Restructure a domain's position within a forest Renaming Domains No Pruning and Grafting capabilities Windows.Net Help and Support: "A domain rename will affect every domain controller in your forest and is a thorough multi-step process that requires a detailed understanding of the operation" Resources from http://www.microsoft.com/windows2000/downloads/tools/ domainrename/default.asp Understanding How Domain Rename Works (28 pages) Step-by-Step Guide to Implementing Domain Rename (69 pages) rendom.exe utility http://www.decus.de 8

Renaming Domains Identity of the forest root domain cannot be changed If Exchange 2000 is deployed in the same forest domain rename is blocked Each domain controller in the forest will be out-of-service briefly All Domain Controllers in the forest that where unreachable during the operation or finished in the Error state must be demoted Any external trust relationships must be re-established... Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 9

Universal Group Membership Caching In Windows 2000 a Global Catalog Server is required for logging on to a domain To determine the users membership in universal groups If no local GC is available a server in the remote site will be used Recommendation: at least one GC per site Adds replication traffic Universal Group Membership Caching If no Global Catalog is available: If the user is an administrator logon succeeds If only a Domain Controller is available the user fails to log on to the workstation If no Domain Controller is available, the user is logged on with cached credentials http://www.decus.de 10

Universal Group Membership Caching Workaround in Windows 2000: HKLM\System\CCS\Control\Lsa\ IgnoreGCFailures 1 Q241789 How to Disable Requirement that a Global Catalog Server Be Available to Validate User Logons Potential security vulnerability if universal groups are also used Universal Group Membership Caching Windows.NET adds the ability to cache the Universal Memberships of the users Enabling this caching process is done on a Siteby-Site basis To enable GC-less logon modify AD Sites NTDS Site Settings object http://www.decus.de 11

Universal Group Membership Caching The DC will use the cached information even if a GC is available Cache is updated in eight-hour intervals (default) This caching mechanism may allow stale data Cached data expires from lack of use No logon in 180 days (default) Universal Group Membership Caching To adjust the default refresh interval HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Refresh Interval DWORD in minutes To adjust the default expiration time period HKLM\System\CCS\Services\NTDS\Parameters\ Cached Membership Site Stickiness DWORD in minutes http://www.decus.de 12

Universal Group Membership Caching msds-cached-membership single valued attribute added to the user object Stores the SIDs of the Universal Groups to which the user belongs To populate the attribute the DC must contact a GC when a user first logs on Not replicated between Domain Controllers Universal Group Membership Caching No GUI to control an update of the cached msds-cached-membership attributes Use ADSI set objroot = GetObject("LDAP://RootDSE") objroot.put "UpdateCachedMemberships", 1 objroot.setinfo http://www.decus.de 13

Universal Group Membership Caching To diagnose Group membership caching HKLM\SYSTEM\CCS\Services\NTDS\ Diagnostics\20 Group Caching 5 (full diagnostic) Information is written to the Directory Service Event Log Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 14

Linked Value Replication Novell's Claims against Active Directory (December 1999): DID YOU KNOW that Microsoft recommends against distributed group management? MS recommends that all group membership should be done from a single machine. WHY? If two administrators manage an AD group (add/delete a user to/from the group) before the group COMPLETELY synchronizes to ALL AD domain controllers, changes will be lost. Linked Value Replication In Windows 2000 group membership is stored as a single multi-valued attribute If the group membership is modified the complete membership attribute is replicated Even adding or removing a single member If membership is modified on two different DCs simultaneously changes might be lost Windows 2000 workaround: use only one Domain Controller to change group membership http://www.decus.de 15

Linked Value Replication Windows.NET removes this issue A linked-value is a pointer to other objects in the directory A multi-value linked-value attribute is a list of pointers to other objects in the directory Replication metadata is is stored in every single value of that list Now this single value can be replicated Linked Value Replication Novell's Claims against Active Directory (December 1999): DID YOU KNOW that Microsoft recommends no more than 5000 users in an Active Directory group? WHY? Because group membership is sent out as a single attribute value. So, if you add the 5000th user to a group of 4999 members, instead of sending just the new user, the entire group (all 5000 users) is sent to ALL domain controllers. http://www.decus.de 16

Linked Value Replication 5000 members is not a hard limit The attribute becomes too large to be replicated in a single transaction Windows 2000 workaround: using smaller groups to compose larger groups Windows.NET removes the issue by only replicating updates to the group membership Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 17

Forest Trusts Windows 2000 Kerberos authentication is only forest wide To create trusts between forests NTLM trusts between every domain in each forest must be created Forest Trusts In Windows.NET Transitive Kerberos trust between two forests' root domains can be created Authorization and authentication occur transparently between the linked forests Forest trusts are targeted for companies Undergoing mergers or acquisitions Seeking a solution to administrative autonomy Cross-forest trust can be 1-way or 2-way http://www.decus.de 18

Forest Trusts Two-way All users in both forests are able to access all resources anywhere in either forest One-way: incoming Only users in the first forest are able to access resources anywhere in the second forest Users in the second forest will not be able to access any resources in the first forest One-way: outgoing Only users in the second forest are able to access resources anywhere in the first forest Users in the first forest will not be able to access any resources in the second forest. Forest Trusts To define trust relationships use the new Trust Wizard http://www.decus.de 19

Forest Trusts Forest trusts can only be created between two forests Relationship is not transitive between forests Exchange Server still see two different organizations No way to unify forests into one forest Still two Global Catalogs Still two Schemas Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 20

Application Directory Partitions A naming context (also called a directory partition) Stores application-specific data in the Active Directory Used for redundancy, availability, or fault tolerance Windows 2000: only three choices of replication scope Not replicated Domain-wide (domain naming context) Forest-wide (configuration naming context) Application Directory Partitions In Windows 2000 data may go to places where it is not used All application data replicated to every DC in the domain Every object in Active Directory is put into the GC Inappropriate to store volatile data in DS Gets replicated widely Data may not be up to date on various domain controllers May cause lot of replication traffic http://www.decus.de 21

Application Directory Partitions In Windows.NET additional naming contexts can be created Used for Active Directory enabled application to store and replicate data Usually created by the applications that will use them Contain any hierarchy of objects, except security principals Replicated only to specific domain controllers in a forest Objects not replicated to GC Application Directory Partitions Naming Part of the forest namespace Like domain directory partition Same DNS and LDAP naming conventions DNS: adp1.microsoft.com DN: dc=adp1,dc=microsoft,dc=com http://www.decus.de 22

Application Directory Partitions Three possible placements within the forest namespace: A child of a domain directory partition. A child of an application directory partition. A new tree in the forest. Domain directory partitions cannot be children of an application directory partition Application Directory Partitions Ntdsutil can be used to perform various operations For testing and troubleshooting purposes only Applications will provide the utilities DCPROMO demote will not remove replicas or delete application directory partitions http://www.decus.de 23

Application Directory Partitions The Knowledge Consistency Checker (KCC) automatically generates and maintains the replication topology for all application directory partitions Replicas follow the same intersite replication schedule as the domain directory partition. Application Directory Partitions Example: Active Directory integrated DNS Ability to replicate zones Among a given set of DNS servers of different domains dnscmd.exe (/CreateDirectoryPartition /EnlistDirectoryPartition /UnEnlistDirectoryPartition) All DNS servers in the forest Default DNS application partition DomainDnsZones dnsmgmt.msc or dnscmd.exe All DNS servers in the forest Default DNS application partition ForestDnsZones dnsmgmt.msc or dnscmd.exe http://www.decus.de 24

Application Directory Partitions Example: List partitions with ntdsutil.exe Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 25

Defunct Schema Objects The directory schema describes the kinds of objects that can reside in a directory Allowable parent object types for an object Mandatory and optional attributes for an object Syntax for an attribute Schema objects: classes and attributes 1 Defunct Schema Objects Schema additions are permanent 1 No way back In both Windows 2000 and Windows.NET In Windows.NET schema objects Can be disabled (marked "defunct") Can be redefined Can be reactivated http://www.decus.de 26

Defunct Schema Objects Redefining Schema Objects The object identifier and the ldapdisplayname can be reused Example: Active Directory does not permit you to change the syntax of an attribute after it has been defined in the schema Deactivate the attribute and create a new attribute that reuses the same object identifier and LDAP display name as the old attribute, but with the desired attribute syntax Defunct Schema Objects To deactivated Schema objects set the isdefunct property to "True" Programmatically With the Active Directory Schema snap-in Only objects that have been added to the base schema can de deactivated or redefined http://www.decus.de 27

Defunct Schema Objects To reactivated Schema objects set the isdefunct property to "False" Any instances become valid, normal objects again There must be no collisions with active Schema objects (ldapdisplayname, schemaidguid,...) Agenda Install Replica from Media Domain Controller Rename Domain Rename Universal Group Membership Caching Linked Value Replication Forest Trusts Application Directory Partitions Defunct Schema Objects InetOrgPerson http://www.decus.de 28

inetorgperson Novell's Claims against Active Directory (December 1999): DID YOU KNOW that Windows2000 does not conform to LDAP standards? This means that many off the shelf LDAP applications (Netscape, Oblix, Netegrity, etc) cannot run against Active Directory? It seems that Windows2000 doesn t derive users from InetOrgPerson, which is the LDAP standard. Therefore, most LDAP applications won t recognize Active Directory users. inetorgperson Windows 2000 Active Directory The user account object is implement as the 'user' class 1 Other LDAP implementations The user account object is implement as the inetorgperson class (RFC 2798) 2 Do not recognize AD users In Windows.NET Active Directory: new inetorgperson class compatible with the user class 3 http://www.decus.de 29

inetorgperson In Windows.NET inheritance chain top (abstract) -> person (abstract) -> organizationalperson (abstract) -> user (structural) -> inetorgperson (structural) RFC 2798 inheritance chain: top (abstract) -> person (structural) -> organizationalperson (structural) -> inetorgperson (structural) inetorgperson Exchange 2000 schema extension secretary: 1.2.840.113556.1.2.444 labeleduri: 1.2.840.113556.1.2.593 inetorgperson RFC 2798 secretary: 0.9.2342.19200300.100.1.21 labeleduri: 1.3.6.1.4.1.250.1.57 Solution: Change ldapdisplayname secretary -> msexchangeassistantname labeleduri -> msexchlabeleduri http://www.decus.de 30

inetorgperson inetorgperson and user objects are different entities Up to now there is NO Exchange 2000 support for inetorgperson objects http://www.decus.de 31