WSV401 - Channel 9
advertisement
WSV401 Deconstructing an nltest /dsgetdc output C:\>nltest /dsgetdc: DC: \\PDC-01.corp.contoso.com Address: \\172.31.79.145 Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f Dom Name: corp.contoso.com Forest Name: corp.contoso.com Dc Site Name: PDC-Site Our Site Name: Client-Site Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FULL_SECRET WS The command completed successfully C:\>nltest /dsgetdc:contoso.nonexisting Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN C:\> Q: A: DC-04.Corp.Contoso.com New up-level machine DC-04.Corp.Contoso.com New up-level machine DC-04.Corp.Contoso.com New up-level machine DC-04.Corp.Contoso.com New up-level machine DC-04.Corp.Contoso.com New up-level machine DC-04.Corp.Contoso.com New up-level machine Sync from domain account %s Authentication type Thread context LocalSystem Kerberos LocalService NetworkService LocalSystem NTLM LocalService NetworkService Credential Authenticated as NULL Machine account $MachineName Machine account NULL Anonymous $MachineName Anonymous NULL Machine account $MachineName Machine account NULL Anonymous $MachineName Machine account NULL Anonymous $MachineName Anonymous NULL Machine account $MachineName Machine account 0 1 Owned (managed by) by the KCC 1 2 Reciprocal replication 2 4 Override notify defaults (typically indicates compression) 3 8 Change notification 4 16 Disable compression 5 32 User-defined schedule 6 64 RODC topology Transport Application Port Interface Computer join TCP UDP Kerb. LDAP SMB RPC 88 389 445 - - LsaRpc NetLogonR SamR EPM DRSUAPI NetLogonR - x x x x x x x x x 135 Static (0xE000) SMB C-LDAP DNS NbtNs 445 389 53 137 - - - x x x x x x x DFS DC Locator Logon after join x x x x x x x Transport Application Port Interface TCP DNS EPM Kerb LDAP 53 135 88 389 135 Static - - - - EPM FrsRpc UDP RPC AD Replication x x Authentication x x Static (0xE000) DRSUAPI NetLogonR DRSUAPI LsaRpc NetLogonR x - SMB C-LDAP DNS NTP 445 389 53 123 - - - DFS NbtSS x x x GPO refresh at RODC x Time syncronization Reboot after Join File Replication (NTFRS) x x x x x x x x x x x x x x Blue Section http://www.microsoft.com/cloud/ http://www.microsoft.com/privatecloud/ http://www.microsoft.com/windowsserver/ http://www.microsoft.com/windowsazure/ http://www.microsoft.com/systemcenter/ http://www.microsoft.com/forefront/ http://northamerica.msteched.com www.microsoft.com/teched www.microsoft.com/learning http://microsoft.com/technet http://microsoft.com/msdn Active Directory across a decade Windows 2000 Windows 2003 Windows Server 2008 Windows Server 2008 R2 What is DC Locator? (continued) What’s with the LDAP ping limit? Deconstructing an nltest /dsgetdc output C:\>nltest /dsgetdc: DC: \\PDC-01.corp.contoso.com Address: \\172.31.79.145 Dom Guid: ca21b03b-6dd3-11d1-8a7d-b8dfb156871f Dom Name: corp.contoso.com Forest Name: corp.contoso.com Dc Site Name: PDC-Site Our Site Name: Client-Site Flags: GC DS LDAP KDC TIMESERV WRITABLE DNS_DC DNS_DOMAIN DNS_FOREST FULL_SECRET WS The command completed successfully C:\>nltest /dsgetdc:contoso.nonexisting Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN C:\> What else does DC Locator provide? Next closest site filtering based on RODC Key settings and administration commands Time Service on a virtual DC Machine Ethernet 1. DHCP server discovery 00-12-3F-5B-9E-3D ARP / RARP / DHCP Network DHCP broadcast Machine TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 Ethernet 00-12-3F-5B-9E-3D DHCP 1. DHCP server discovery DHCP broadcast 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) DHCP Server Machine Netlogon (DC Locator) DCs: 10.10.0.1, 10.10.10.2, 10.20.1.3 TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 Ethernet 00-12-3F-5B-9E-3D DNS lookup 1. DHCP server discovery DHCP broadcast 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) 3. DC lookup: IP addresses for domain Contoso.com DNS (UDP/TCP 53) DNS Server Machine Netlogon (DC Locator) DCs: 10.10.0.1, 10.10.10.2, 10.20.1.3 TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 Ethernet 00-12-3F-5B-9E-3D c-LDAP 1. DHCP server discovery DHCP broadcast 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) 3. DC lookup: IP addresses for domain Contoso.com DNS (UDP/TCP 53) 4. DC Locator pings the DCs and one is chosen LDAP (UDP 389) Directory Machine Netlogon (DC Locator) DCs: 10.10.0.1, 10.10.10.2, 10.20.1.3 TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 Ethernet 00-12-3F-5B-9E-3D SMB 1. DHCP server discovery DHCP broadcast 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) 3. DC lookup: IP addresses for domain Contoso.com DNS (UDP/TCP 53) 4. DC Locator pings the DCs and one is chosen LDAP (UDP 389) 5. Machine connects to DC and secure channel is established SMB (TCP 445) and RPC Directory Machine Kerberos Kerberos ticket Netlogon (DC Locator) DCs: 10.10.0.1, 10.10.10.2, 10.20.1.3 TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 Ethernet 00-12-3F-5B-9E-3D LDAP + Kerberos 1. DHCP server discovery DHCP broadcast 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) 3. DC lookup: IP addresses for domain Contoso.com DNS (UDP/TCP 53) 4. DC Locator pings the DCs and one is chosen LDAP (UDP 389) 5. Machine connects to DC and secure channel is established SMB (TCP 445) and RPC 6. Machine queries KDC (DC Locator), authenticates and ticket is retrieved Directory Kerberos (TCP 88) 1. DHCP server discovery DHCP broadcast Policy objects Scripts 2. Request of IP information (host, DNS, gateway, …) DHCP (UDP 67/68) 3. DC lookup: IP addresses for domain Contoso.com DNS (UDP/TCP 53) Kerberos Kerberos ticket 4. DC Locator pings the DCs and one is chosen LDAP (UDP 389) Netlogon (DC Locator) DCs: 10.10.0.1, 10.10.10.2, 10.20.1.3 5. Machine connects to DC and secure channel is established SMB (TCP 445) and RPC TCP/IP DNS server: 10.10.0.1 Address: 10.10.0.21 6. Machine queries KDC (DC Locator), authenticates and ticket is retrieved Kerberos (TCP 88) Ethernet 00-12-3F-5B-9E-3D 7. Policy downloaded and executed: policy query (RPC + LDAP), policy download (SMB) RPC LDAP (TCP 389) SMB (TCP 445) Machine Group Policy RPC + LDAP + SMB Directory Transport Application Port Interface Computer join TCP UDP Kerb. LDAP SMB RPC 88 389 445 - - LsaRpc NetLogonR SamR EPM DRSUAPI NetLogonR - x x x x x x x x x 135 Static (0xE000) SMB C-LDAP DNS NbtNs 445 389 53 137 - - - x x x x x x x DFS DC Locator Logon after join x x x x x x x Transport Application Port Interface TCP DNS EPM Kerb LDAP RPC 53 135 88 389 135 Static - - - - EPM FrsRpc DRSUAPI NetLogonR DRSUAPI LsaRpc AD Replication x x Authentication x x UDP C-LDAP DNS SMB Static (0xE000) 445 NetLogonR x - DFS NbtSS 389 53 123 - - - x x GPO refresh at RODC x Time syncronization Reboot after Join File Replication (NTFRS) NTP x x x x x x x x x x x x x x x 1 http://msdn2.microsoft.com/en-us/library/ms675656(VS.85).aspx 1: suppress First/Last ANR 2: suppress Last/First ANR Attribute behavior – searchFlags 128 bit 7 64 bit 6 32 bit 5 Subtree index (ADAM) Confidential attribute 16 bit 4 8 bit 3 4 bit 2 Copy attribute when user account is copied Tuple index Preserve upon logical deletion (tombstone) 2 bit 1 1 bit 0 Member of ANR set Containerized index Attribute index Display specifiers User Shell Administrative tools affects Display specifiers (UK) Display specifiers (US) Display specifiers are defined for each locale Object classes Stored Storedin inlocale-specific locale-specific container containerin inthe theconfiguration configuration NC NC (First word = GivenName AND Second Word = Surname) … or (First word = Surname AND Second Word = GivenName) (&(ANR=Jairo Cadena)...) Security descriptor is replaced (including inheritance flags) ACL Members of administrative group(s) Member-object’s ACL ACL cn=AdminSDHolder,cn=System,dc=<domain>… Template ACL (a container) Enterprise Admins Schema Admins Domain Admins Administrators Account Operators Server Operators Print Operators Backup Operators Cert Publisher Replicator (*) Domain Controllers (*) dsacls cn=adminsdholder,cn=system,dc=…. /G “Password Admins:CA;Change Password” List Object mode List Object mode Tombstone reanimation (undelete) Miscellaneous Fundamentals DC identification Contoso.com forest configuration/schema NC Contoso.com domain NC Contoso.com Connection Object DC2 DC1 DC3 DC4 Contoso.com forest configuration/schema NC Contoso.com domain NC Corp.Contoso.com domain NC Contoso.com Connection Object Corp.Contoso.com DC5 DC2 DC1 DC6 DC3 DC4 Contoso.com forest configuration/schema NC Contoso.com domain NC Corp.Contoso.com domain NC Contoso.com Connection Object Corp.Contoso.com GC5 DC2 DC1 DC6 DC3 GC4 Intrasite replication Intersite replication Transport RPC RPC or SMTP Topology Ring Spanning Tree Schedule Frequency Schedule Availability Schedule Replication Model Notify & Pull Pull / Store and Forward Compression None Configurable Naming contexts (NCs) Update Sequence Numbers (USNs) DS1 Add new user on DS1 USN: 4710 4711 Object usnCreated = 4711 DS1 USN increases to 4711 DS1 object metadata below Object usnChanged = 4711 Property Value USN Version# Timestamp Originating GUID Orig. USN P1: Value 4711 1 <time> DS1 4711 P2: Value 4711 1 <time> DS1 4711 P3: Value 4711 1 <time> DS1 4711 P4: Value 4711 1 <time> DS1 4711 DS2 DS1 2052 USN: 2051 USN: 4711 Object usnCreated = 2052 User replicated to DS2 DS2 USN increases to 2052 DS2 object metadata below Object usnChanged = 2052 Property Value USN Version# Timestamp Originating GUID Orig. USN P1: Value 2052 1 <time> DS1 4711 P2: Value 2052 1 <time> DS1 4711 P3: Value 2052 1 <time> DS1 4711 P4: Value 2052 1 <time> DS1 4711 High watermark vector (HWV) table DS1 USN: 4711 DC GUID Highest known USN DS1 GUID DS3 GUID 4711 1217 DS4 DS2 USN: 3388 USN: 2052 DS4’s high-watermark vector assumes that DS1 and DS3 are its replication partners DS3 USN: 1217 Up-to-dateness (UTD) vector table DS1 USN: 4711 Invocation ID Highest originating USN Replication timestamp DS1 GUID 4691 12:02.31 DS2 GUID 2052 12:02.29 DS3 GUID 1216 12:02.36 DS4 DS2 USN: 3388 USN: 2052 DS4’s up-to-dateness vector assumes that DS1, DS2 and DS3 have all originated writes against the partition DS3 USN: 1217 Conflict resolution Conflict resolution Conflict resolution #Objects Users 1 10 100 500 1,000 Global Groups Universal Groups Volumes 14,108 10,437 11,227 9,667 “13,019” “11,309” “11,145” “10,277” 45,563 25,683 26,741 21,691 “47,037” “26,902” “26,823” “22,848” 39,583 28,743 29,675 22,602 “386,148” “187,754” “185,606” “149,736” 173,105 102,404 119,180 81,691 “1,914,087” “905,015” “906,079” “715,577” 291,041 194,926 199,054 151,989 “3,818,256” “1,815,170” “1,803,090” “1,436,085” Intersite replication “Intrasite replication” Replication epochs Replication notification intervals Replication notification intervals Intersite change notification Reciprocal replication Urgent replication Password replication PDC chaining DC User PDC Administrator Lingering objects Replication consistency Replication consistency Forest A Cross Forest Trust Forest B LDAP connection specifics LDAP authentication security LDAP query requirements LDAP query options More LDAP query options Connection specifics Query specifics Query filter specifics http://msdn2.microsoft.com/en-us/library/aa746475.aspx http://msdn2.microsoft.com/en-us/library/aa366108(VS.85).aspx Query efficiency VLV / Containerized index Returned attributes LDAP policies LDAP policies LDAP policies LDAP policies LDAP policies Some interesting session options Some interesting controls Some interesting controls RootDSE Extended error messages Basics Basics Schema master Schema master Domain Naming master Domain Naming master PDC PDC RID master RID master Infrastructure master Infrastructure master SYNTAX: <ordinal>,<display text>,<executable path> SYNTAX: <ldapdisplayname>,<column header>,<default visibility>,<width>,<reserved/unused>
