330 likes | 420 Views
ADM 493 Digging Deep into the Active Directory LDP. Windows 2000 and 2003 . The majority of topics apply equally well to Windows 2000 and 2003 All the demonstrations will be performed on Windows Server 2003. Health Warning!!.
E N D
Windows 2000 and 2003 • The majority of topics apply equally well to Windows 2000 and 2003 • All the demonstrations will be performed on Windows Server 2003
Health Warning!! • In this seminar we will show the use of tools that will allow direct access to AD objects and attributes • Always test any changes before implementing them in a production environment • You could always make mistakes!
The Directory • The directory is a container for objects • The objects are stored as rows within the database • Columns contain metadata and attributes • The on-the-wire protocol for accessing the database is LDAP • LDP allows you to create native LDAP queries for ultimate access • LDP is part of the support tools which can be installed from the distribution media
Using LDP • LDP provides a tree view and powerful search capabilities
Searching the Directory • To view/search the directory you must define a starting point • NC head • Subtree • Leaf object • Only returns information about that object
Domain NC:dc=child,dc=example,dc=com Configuration NC: cn=configuration,dc=example,dc=com Schema NC: cn=schema,cn=configuration,dc=example,dc=com Naming Contexts example.com child.example.com • Windows Server 2003 allows the creation of additional NCs • These are called Application Directory Partitions
The GC responds to LDAP queries on port 3268 DomainX objects • Domain NC objects replicated fromthe other domains in the forest • The GC stores only a partial set of attributes for each object The Global Catalog The GC is hosted on a DC in domainX • The Global catalog is not a NC • It contains a partial replica of all objects within the domain
UK ED legal example.com Naming Objects child.example.com • Every object is identified by an unique Distinguished Name • In addition to a DN (which may change), the object is uniquely identified by a GUID • Security principals are identified by a SID UK USA LN ED cn=john,ou=legal,ou=ed,ou=ukdc=child, dc=example,dc=com sales legal John cn = common name, ou = organizational unit, dc = domain component
RootDSE • All DCs maintain a node called RootDSE • RootDSE provides information on: • Supported naming contexts • The Root NC • LDAP versions • Supported controls • Extends the capabilities of LDAP • Policies and security RootDSE = Root DSA-Specific Entry, DSA=Directory Service Agent
Using LDP • Connect and bind (authenticate) • The view/search base can be defined by • DN • CN=James Bond,OU=Oxford,DC=example,DC=com • GUID • <GUID=5d4d36b1-12ad-4c3b-b943-9f3db65310e8> • SID • <SID=S-1-5-21-1539329446-2123584859-1544097757-1605>
Searching • All searches are started from a base • The returned results are based on an LDAP filter • The filter tests the attributes of an object • When the filter evaluates TRUE, the DN of the object is returned • The attributes to be returned along with the object’s DN can be defined
LDAP Filters (cn=james) (cn=jam*) (description=*) (!(description=*)) (&(objectCategory=user)(description=production*)) (&(!(description=production*))(|(objectCategory=user)(objectCategory=computer))) (ANR=j)
Query Processor • The query processor optimises the filter • The actual server-side filter can be viewed using an LDAP control • Controls extend the functionality of LDAP • The controls are identified by OIDs Example Control Types: Show Deleted Objects:1.2.840.113556.1.4.417 Do Not Generate Referrals:1.2.840.113556.1.4.1339
Windows 2000 LDP requires you to manually enter the controland click Check in Using Controls
Returning Results • The maximum number of results that can be returned from the server is 1000 • This is set via the LDAP policy MaxPageSize • To retrieve larger results sets either use the Paged option or Virtual List View • VLV is only available on Window Server 2003 • LDP has a default buffer size of 512 lines • Increase this for larger results sets
Returning Attribute Values Select the attributes to be returned by their ldapDisplayName Separate the names with a semicolon (no spaces) * returns all attributes 1.1 returns no attributes Attributes that have null values are not displayed Results to which you don’t have access permissions are not displayed
Search Scopes For efficient searching, alwaystry to minimise the search scope Base: searches the base object only One Level: searches the direct descendants of the baseobject, does not include the base objectSubtree: searches the base object and all objects below
Bit Flags • Some configuration details are stored as individual bits within an attribute • For example both of the following attributes contain flags • searchFlags • groupType • You can not test these flags with a simple numeric value
Index over attribute Index over container and attribute searchFlags (simplified) Copy attributewhen object is copied(user account copy) 16 8 4 2 1 • enabled = 1, disabled = 0 • The searchFlags are one of the properties of an attribute • These are defined in the schema bit 4 bit 3 bit 2 bit 1 bit 0 Preserve this attribute on logical deletion (tombstoned) Member of ANR set
groupType 4 2 1 8 2147483648 bit 31 bit 3 bit 2 bit 1 bit 0 Set for universal groups Set for security groups Clear for distribution groups Set for domain local groups Set for global groups
BIT Wise Operations • Matching rules are used to test bits within an attribute • Attributename:ruleOID:=value • No spaces, Value in decimal (searchFlags:1.2.840.113556.1.4.803:=5) Rule OID provides an AND test, evaluates true if bits 0 AND 2 are set (searchFlags:1.2.840.113556.1.4.804:=5) Rule OID provides an OR test, evaluates true if bits 0 OR 2 are set
Operational Attributes • Operational attributes provide a mechanism for triggering actions on the server via LDAP • They are not defined in the schema • Writing to the attributes causes the server to perform a predefined action • Actions include (ntldap.h for details) • Updating the Schema • Transferring FSMO roles • Triggering the SD Propagator Thread
Operational Attributes Updating the GC cache on 2003
Creating an Object • Objects can be created using LDP • Alternative methods are preferred if they are available • To create an object you must populate the mandatory attributes • Some mandatory attributes are automatically populated by the system
Example of Creating a User Object • Creates a user with default settings
Account Unknown • Set the SID as the search base • Enable the showing of deleted objects
Searching for GUIDs • GUIDS are stored in two different formats • String format: • e48d0154-bcf8-11d1-8702-00c04fb96050 • Binary format: • 54018de4f8bcd111870200c04fb96050 • To search for a binary GUID each byte must be escaped • \54\01\8d\e4\f8\bc\d1\11\87\02\00\c0\4f\b9\60\50
user appliesTo ACL RightsGUID Added to attributeSecurityGUID for all members of the property set • Access to an extended right is controlled by adding the rightsGUID attribute value to the object’s ACL • The rightsGUIDalso identifies the attributes that are members of a property set Extended Rights cn=personal-information • The objects to which extended rights applyare defined in the appliesTo attribute
And There is More… • If you’ve enjoyed this session • Tell your friends, ask your local Microsoft subsidiary when we will be in your area next! • Hope to see you – soon • Don’t forget to buy the book!!