What is Active Directory? ( In depth )
A general answer which one would receive if asked, “What is Active Directory?”
“Active Directory is a centralized and standardized system that automates network management of user data, security, and distributed resources, and enables interoperation with other directories. Active Directory is designed especially for distributed networking environments.”
Active Directory features include:
- Support for the X.500 standard for global directories
- The capability for secure extension of network operations to the Web
- A hierarchical organization that provides a single point of access for system administration (management of user accounts, clients, servers, and applications, for example) to reduce redundancy and errors
- An object-oriented storage organization, which allows easier access to information
- Support for the Lightweight Directory Access Protocol (LDAP) to enable inter-directory operability
- Designed to be both backward compatible and forward compatible
Now Lets get into the depths of Active Directory .
We know that Active Directory is stored in a Database. But what is this Database and how is information stored in it. We get to know that its a Jet Database. Why did Microsoft choose a Jet database over any other database when implementing it as a database for Active Directory ? is a very general and common question which was asked by colleagues and customers at every discussion?
SQL is a very well known Database from Microsoft, which is easy to access and manipulate, Why didn’t Microsoft choose SQL when it decided to store the Information in the Database . Jet was chosen because it’s a ridiculously simple and fast database. If Active Directory was going to be the center of many enterprises, it had to be fast and Jet delivers on that promise in spades.
Now, within the ntds.dit file, there are actually many tables of data. The tables that are of most interest to us are the data table, which contains all the users, groups, OU’s. The link table, which contains any linked attributes for example, the members of a group. And lastly the SD table, which contains security descriptors or permissions that are assigned throughout Active Directory.
Structure of NTDS.dit
Let’s first take a look at data table. One easy way to do this is to run LDP.exe ( part of the support tools ) and leverage an operational attribute called ‘DumpDatabase’. Lets assume the domain name is remotex.com with a child domain named child.remotex.com.
Start Ldp.exe on the domain controller.
- Hit Connect, Press Enter, don’t enter anything, it would take the local domain as default,
- Then bind, Press Enter, don’t enter anything, it would take the logged on account as default (Should be a Domain admin account).
- Click Modify on the Browse menu.
- Edit for Attribute: dumpdatabase.
- Edit for Values: name ncname objectclass objectguid instancetype. You must leave one space between the attributes.
- Click Enter. The Entry List box contains the following entry:[Add]dumpdatabase:name ncname objectclass objectguid instancetype
- Click the Extended and Run options.
- The %systemroot%\NTDS\Ntds.dmp file is created.
Here is a key for some of the above terms:
DNT: Distinguished Name Tag. Essentially is a primary key to identify each row within the database.
PDNT: Parent Distinguished Name Tag. Indicates which object in the database is the parent object of this object. References another objects DNT.
NCDNT: Naming Context Distinguished Name Tag. Indicates which “partition” this object belongs to. References the root of a partition’s DNT.
You notice that all the partitions in Active Directory are represented in this one data table. This is why we call them logical partitions. So, how does Active Directory keep track of the different partitions and which objects belong to which partitions? This is where the DNT, PDNT, NCDNT values you see above come into play. The PDNT value tells each object what their parent object is plus the NCDNT value tells the object which partition it belongs to.