1 / 90

Client Interactions

Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@ sevecek.com | www.sevecek.com |. Client Interactions. Active Directory Client Interactions. Intro. Central Database. LDAP – Lightweight Directory Access Protocol

newman
Download Presentation

Client Interactions

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Ing. Ondřej Ševeček | GOPAS a.s. | MCM: Directory Services | MVP: Enterprise Security | ondrej@sevecek.com | www.sevecek.com | Client Interactions

  2. Active Directory Client Interactions Intro

  3. Central Database • LDAP – Lightweight Directory Access Protocol • database query language, similar to SQL • TCP/UDP 389, SSL TCP 636 • Global Catalog (GC) – TCP/UDP 3268, SSL TCP 3269 • D/COM Dynamic TCP – Replication • Kerberos • UDP/TCP 88 • Windows NT 4.0 SAM • SMB/CIFS TCP 445 (or NetBIOS) • password resets, SAM queries • SMB/DCOM Dynamic TCP • NTLM pass-through • Kerberos PAC validation

  4. Design Considerations • Distributed system • DCs disconnected for very long times • several months • Multimaster replication • with some FSMO roles

  5. Design Considerations • Example: Caribean cruises, DC/IS/Exchange on board with tens of workstations and users, some staff hired during journey. No or bad satelite connectivity only. DCs synced after ship is berthed at main office. • Challenge: Must work independently for long time periods. Different independent cruise-liners/DCs can accomodate changes to user accounts, email addresses, Exchange settings. Cannot afford lost of any one.

  6. Database • Microsoft JET engine • JET Blue • common with Microsoft Exchange • used by DHCP, WINS, COM+, WMI, CA, CS, RDS Broker • %WINDIR%\NTDS\NTDS.DIT • ESENTUTL • Opened by LSASS.EXE

  7. Installed services LSASS TCP 445 SMB + Named Pipes Security Accounts Manager D/COM Dynamic TCP UDP, TCP 88Kerberos Kerberos Key Distribution Center UDP, TCP 389, ... LDAP Active Directory Domain Services NTDS.DIT

  8. Network Interactions(DC Location) SRV: Any DC List Client 2000+ SRV: My Side DC DNS DNS LDAPUDP Get My Site Any DC2000+ My Site DC 2000+

  9. Network Interactions(2008/Vista+ DC Location) SRV: Any DC List Client Vista+ SRV: My Site DC DNS SRV: Close Site DNS LDAPUDP Get My Site Next Closest Site Close Site DC 2000+ Any DC2008+ My Site DC 2000+

  10. Network Interactions(Join Domain) Client 2000+ TGT: User Kerberos SMB TGT: CIFS SAM Interface DC2000+

  11. Network Interactions(Local Logon) Client 2000+ TGT: User Kerberos LDAP SMB TGS: LDAP, CIFS GPO List GPO Download DC2000+

  12. Network Interactions (Kerberos Network Logon) App Traffic Client 2000+ Server2000+ In-band TGS: Server Kerberos SMB D/COM Occasional PAC Validation TGT: User TGS: Server D/COM Dynamic TCP DC2000+ DC2000+

  13. Network Interactions(NTLM Network Logon) App Traffic Client 2000+ Server2000+ In-band NTLM SMB D/COM Pass-through NTLM D/COM Dynamic TCP DC2000+ DC2000+

  14. Network Interactions (Basic/RDP Logon) App Traffic Client 2000+ Server2000+ In-band clear text Kerberos TGT: User DC2000+ DC2000+

  15. Active Directory Replication Attribute Notes

  16. Attribute Types • string, integer, datetime, boolean, binary • DN reference • multivalue • up to 5000 items • linked multivalue • unlimited, requires 2003 Forest Level • backlink • memberOf • computed • primaryGroupToken, tokenGroups, lastLogonTimestamp • write/only attributes • unicodePwd

  17. Group membership Sales member CN=Kamil,OU=London,DC=... member CN=Judith,OU=Paris,DC=... Link member CN=Victor,OU=London,DC=... member CN=Stan,OU=London,DC=... Judith Backlink memberOf CN=Sales,OU=Groups,DC=... memberOf CN=IS Access,OU=Groups,DC=...

  18. (Not)replicated attributes • Not replicated • logonCount • badPasswordCount • badPasswordTime • lastLogon • lastLogoff • Replicated • pwdLastSet • lockoutTime • lastLogonTimestamp (since 2003)

  19. Logon timestamps (2003 DFL) lastLogon 9:00 DC lastLogonTimestamp 11:00 lastLogon 11:38 DC Client lastLogonTimestamp 11:00 lastLogon - DC lastLogonTimestamp 11:00

  20. lastLogonTimestamp • Requires 2003 domain level • Updated only once per 14-random(5) days • DC=idtt,DC=local • msDS-LogonTimeSyncInterval • 1+ – minimum without randomization • 5+ – randomization starts • 14 – the default • ...

  21. Password changes Client Normal replication hash Password Change PDC Immediate Replication password hash DC Normal replication hash

  22. Password changes pwdLastSet pwdLastSet DC PDC pwdLastSet DC Client pwdLastSet DC

  23. Authentication failures pwd1 DC pwd1 PDC pwd1 Client DC

  24. Authentication failures pwd1 DC pwd2 PDC pwd2 pwd2 DC Client

  25. Authentication failures pwd1 pwd2 DC Client pwd2 PDC pwd2 DC

  26. Authentication failures badPasswordCount 7 PDC badPasswordCount 2 DC lockoutTime badPasswordCount 3 DC Client badPasswordCount 2 DC

  27. Active Directory Client Interactions DC Location

  28. Client Applications • Kerberos and NTLM authentication • Secure Channel • password changes, NTLM pass-through, Kerberos PAC validation • Group Policy client • DFS client • Certificate Autoenrollment client

  29. Client Applications • NPS (IAS), RRAS, TMG (ISA), RD Gateway (TS Gateway) • group membership, Dial-In tab • RD Host (Terminal Server) • Remote Control tab etc., Licensing servers • DHCP Server • authorization • IIS • account and group membership for SSL certificate authentication • WDS • computer MAC addresses or GUIDs

  30. Connection Properties • Bandwidth (Mbps) • forget about this • Latency (ms) • round-trip-time (RTT) • SMB, D/COM, SQL • Packet Loss (per sec., per Mb) • packet loss rate (PLR) • VPN such as PPTP, SSTP, IP-HTTPS

  31. Timeouts • DNS • primary DNS = 1 sec. • secondary DNSs = 2 sec. • ... 1 2 2 4 8 ... • ARP • ... 600 ms 1000 ms • LDAP UDP Site Location • 600 ms • TCP • SYN = 21 sec. (3x retransmission) • PSH/ACK = 93 sec. (5x retransmission) • ... 3 6 12 24 48 ...

  32. Basic DC location • Know the DNS name of the domain • Query general DNS DC SRV records • _ldap._tcp.dc._msdcs.idtt.local • Ping DC • Windows 2003- • LDAP UDP (ping) DC • to get the client’s site/close site

  33. DNS Domain Location • Makes use of DNS round robin • Site unaware lookup • NSLOOKUP • SET Q=SRV • _ldap._tcp.dc._msdcs.idtt.local • Site specific lookup • NSLOOKUP • SET Q=SRV • _ldap._tcp.Paris._sites.dc._msdcs.idtt.local

  34. Site Example – Single Site London 10.10.x.x DC1 DC2 DC3 DC5 DC4 Client

  35. Site Example – Multihomed DC (DNS Bitmask Ordering) Paris 10.20.x.x London 10.10.x.x DC1 DC2 DC3 DC5 DC4 Client

  36. Site Awareness Paris10.20.x.x DC4 Roma10.30.x.x DC6 London10.10.x.x DC1 DC2 DC3 Anonymous LDAP UDP where I am? Berlin10.50.x.x DC5 Client

  37. General Operation • Use DNS to find generic DC list • Ping selected DC • Windows 2003- • Anonymous LDAP (UDP) to determine site • DC defines site from the request source IP address (NAT?) • Use DNS to find close DC in site • Ping or LDAP UDP to determine availability

  38. DC Locator • NetLogon Service • nltest /sc_query:idtt • no network access • nltest /sc_verify:idtt • tries to authenticate with the DC • nltest /sc_reset:idtt • always performs new DNS lookup • nltest /dsgetsite • anonymous query against selected DC

  39. DFS Client (MUP) • Multiple UNC provider (MUP) driver • Determines its own DFS server referrals • obtains the list of DFS root servers from AD using the default DC from Netlogon • SYSVOL may be accessed from a different DC • DFSUTIL /PKTINFO • Windows Server 2003/Windows XP • DFSUTIL CACHE REFERRAL • Windows Server 2008/Windows Vista

  40. Site Example – Empty Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Berlin10.50.x.x DC4 DC5 Roma10.30.x.x DC6 Client Cyprus10.40.x.x DC7

  41. Automatic Site Coverage • Each DC registers itself for its neighboring empty sites • HKLM\System\CurrentControlSet\Services\Netlogon • AutoSiteCoverage = DWORD = 1/0 • GPO: Sites Covered by the DC Locator DNS SRV Records

  42. Active Directory Troubleshooting Misplaced OR Confused Clients

  43. Site Example – Out of Site Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Client Berlin10.50.x.x Roma10.30.x.x 10.100.0.7 DC6 Cyprus10.40.x.x DC7

  44. Out-of-site clients

  45. Out-of-site clients

  46. Limiting generic DC list • Limit creation of generic DC DNS records • GPO: Computer Configuration – Administrative Templates – System – Netlogon – DC Locator DNS Records • DC Locator DNS Records not Registered • Ldap, Kdc

  47. DC Stickiness • When one close selected, client sticks to it • even when moved into a different site • must reset secure channel • Force rediscovery interval GPO • Vista+ • hotfix for Windows XP • also registry value ForceRediscoveryInterval

  48. Site Example – Moving Client Paris10.20.x.x London10.10.x.x DC4 DC5 DC1 DC2 DC3 Berlin10.50.x.x DC4 DC5 Roma10.30.x.x DC6 Cyprus10.40.x.x Client DC7 previously in Paris

  49. Active Directory Troubleshooting Client Failover

  50. Site Example – Failed DC Paris10.20.x.x DC4 Roma10.30.x.x DC6 London10.10.x.x DC1 DC2 DC3 Cyprus10.40.x.x Berlin10.50.x.x DC7 DC5 Client

More Related