Security Identifiers (SID) in Active Directory

March 12, 2017 at 11:45 am

SID

Here is post on the SID in AD serving as a great primer for my Identity in Windows Server 2016 course at CBT Nuggets.

SID Overview

In our post here at the blog on the important FSMO roles, we examined the RID Master. This device helps with the creation of unique Security Identifiers (SIDs) in the domain. The SID is used to uniquely identify an object that receives security permissions. A SID consists of several components. One of those components is the Relative Identifier (RID). The RID Master gives your domain controllers each their own portion of the overall RID pool. This keeps different domain controllers from creating and assigning the same SID to different objects in your domain.

The SID Dissected

The Windows SID is generally made up of 2 fixed fields and up to 15 additional fields all separated by dashes. For example, the format looks like this:

S-v-id-s1-s2-s3-s4-s5-s6-s7-s8-s9-s10-s11-s12-s13-s14-s15

Here is the actual SID I am using right now on Windows 10:

S-1-5-21-863435222-3640012759-1033413245-1001

Notice the following about SIDs:

  • The first fixed field (v) describes the version of the SID structure, Microsoft has never changed this from 1
  • The second field (id) is the identifier authority; it uniquely identifies the authority involved; for example, NULL (0), World (1), Local (2), NT Authority (5)
  • The next 15 fields are not all required and are called sub-authorities; they help uniquely identify the object
  • The last sub-authority field is normally the RID

Well-Known SIDs

There are indeed well-known SIDs. For example:

  • S-1-5-10; this represents NT Authority/Self
  • S-1-1-0; this represents Everyone

There is also a well-known RID of 500. This translates to the built-in administrator account. Here we can see this on my Windows 10 system:

SID

I hope you enjoyed this post on the important SIDs in Windows technologies!
Pearson Education (InformIT)

Active Directory FSMO Roles

March 11, 2017 at 1:10 pm

FSMO

An Overview of FSMO Roles

When you think about your AD design, you immediately think about multiple domain controllers. And some of them might even be read only. This is to distribute the great load that might be placed on these servers in a very active enterprise. Why not distribute this load and ensure that AD resources are always available in the event of a machine or machines failing!

While it is true that we should design our forests in this manner, keep in mind that there are Flexible Single Master Operator (FSMO) Roles that dictate only one domain controller be responsible for certain functions. In these cases, AD nominates a specific domain controller as the master for such functions.

There are five of these roles total. Three exist for every domain, and two of the roles apply to the entire forest. Keep in mind, however, that you can have a single server providing multiple of these roles. This keeps us requiring at least 5 domain controllers for every forest.

Well, it is obviously time for us to cover each of these 5 roles in detail!

Schema Master (forest wide)

Want to make changes to your AD schema? Wow, you are fancy! You need to do this on the Schema Master. By default, this is the first DC you promoted in your forest.

Since changes to the schema are well-planned and pretty rare after your initial deployment is up and running, you can afford to have this role offline for measured time periods.

Domain Naming Master (forest wide)

This is the device that is in charge of changes to the forest-wide name space. Perhaps you need to add a domain to your domain tree in your forest? This machine needs to be online in order to make that happen. Once again, it defaults to the first DC you promote in your forest.

Once again, these types of changes (are thankfully) rare. Having this role offline for a time period is not typically then end of your world!

PDC Emulator (domain wide)

This FSMO role has many functions, including:

  • It maintains backward compatibility functioning as an old school Windows NT Primary Domain Controller (PDC)
  • It acts as the old school NT master browser
  • It attempts to maintain the latest passwords for all accounts (note this function like many others of the PDC Emulator has nothing to do with backward compatibility functions!)
  • It is the target server for most Group Policy management tools
  • It is responsible for acting as the primary time source for the domain and forest
  • It authorizes domain controller cloning

Since this device fulfills so many important functions, you want to make sure it is always online for the most part!

RID Master (domain wide)

This Relative Identifier (RID) Master exists per domain. This device ensures that Security Identifiers (SIDs) in the domain are unique. In my next post in this AD series, I will provide you with great details on the SIDs in your domain. Turns out they are pretty damn important!

RID Masters provide the relative identifier information to other domain controllers in large blocks so these devices can create many SIDs without needing to bother the RID Master again for a very long time. So again, we have a situation where the RID Master can be offline and it not cause huge problems. An obvious exception to this would be if you were in the process of adding a huge number of accounts that need SIDs in your domain.

Infrastructure Master (domain wide)

This FSMO role maintains references to objects in other domains. We call these objects phantoms. Let’s say you have 10 users in Domain1 that actually exist in Domain2. It is the job of the Infrastructure Master of Domain1 to maintain the phantom information for these users.

This important device has many functions and aspects as follows:

  • This role is responsible for updating SID information and distinguished name information when this changes in the source domain
  • It checks in with the Global Catalog of the source domain to ensure it does not possess “stale” phantom information
  • This role is also responsible for performing updates to the domain when moving from Windows Server 2003 or later

It is important to note that if you enable the Active Directory Recycle Bin functionality, every DC in the forest now performs the roles above.

This role could be offline, of course, and how long you could tolerate that is very forest design specific.

Transferring Roles

Could you have all of these roles on a single DC? Sure you could, and many administrators do this for simplicity. You can transfer these roles however for simplicity:

  • Domain Naming Master – changed with the Active Directory Domains and Trusts snap-in
  • The Schema Master – changed with the Active Directory Schema snap-in
  • The RID, Infrastructure, and PDC Emulator Masters – changed with the Active Directory Users and Computers snap-in

Note that you can also use Windows PowerShell for these controls. From a Command Prompt, use NTDSUTIL.

I hope you will be joining me for tomorrow’s post on SIDs!

Deploying and Managing Active Directory with Windows PowerShell: Tools for cloud-based and hybrid environments

Active Directory (AD) Components

March 10, 2017 at 12:16 pm

AD

AD Components Overview

In this post, we examine the key concepts that make up Windows Server Active Directory (AD). This is a continuing series here at the blog as we get excited for my 70-742 Identity in Windows Server 2016 to get fired up at CBT Nuggets.

Domains

The key element of AD is the domain. This is how we organize the structure in an enterprise. A domain consists of:

  • An X.500 (LDAP) based hierarchical structure of containers and objects
  • A DNS domain name
  • A security service
  • Policies
  • A Domain Controller (DC) that is authoritative for the domain (you should have more than one DC!)

Note that you can string domains together in your enterprise to create a domain tree. Perhaps we have cbtnuggetlabs.com as our first domain, then we create eugene.cbtnuggetlabs.com as our next domain. Note that these domains in a tree explicitly trust each other in a transitive way.

Forests

What a perfect name for our next component. A forest is a collection of domain trees! The first domain you create is called the forest root domain. This forest root domain could be renamed later on, but it cannot be removed. Once you have multiple domain trees in a forest,  trust relationships permit resource sharing.

You can even create forest trust relationships if your forest must access resources in another separate forest.

While it is cool that we can create a forest of multiple domain trees, it is almost always correct to keep things as simple as possible and create a single domain forest.

Organizational Units

What most of us think of when we envision AD is Organization Units (OUs). These are containers we create to fill with objects like users and groups and printers and then we assign policy to these units using Group Policy. Do not confuse OUs with another type of container object in AD called – a container. While there are some default containers in Windows Server, we tend to use OUs all the time as we are building our hierarchy.

When you install AD, some default containers and OUs get created for you. For example, there is a Domain Controllers OU.

The Global Catalog (GC)

Need to search a forest for something? The Global Catalog (GC) server comes to the rescue. The attributes you can search on are inside the GC and we call this a partial attribute set (PAS). There are tools you can use to manipulate what attributes make it into the GC.

I hope you found this post informative, and I would like to thank you for reading. Next up, we will examine the Flexible Single Master Operator (FSMO) Roles in AD.
Pearson Education (InformIT)