Active Directory Communication

Active Directory relies on several communications services to communicate with client computers and between domain controllers. The variety of communications protocols used reflects the complex nature both of AD and of the industry-standard protocols that AD implements, such as Kerberos and the Lightweight Directory Access Protocol (LDAP). Understanding how AD communicates can be critical when you’re working with domain controllers or clients that are separated from domain controllers by firewalls or other port filtering devices (such as routers).

Basic Communications

AD needs only a few basic services to be available for normal operations:

• User Datagram Protocol (UDP) port 88 is used for Kerberos authentication. Transmission Control Protocol (TCP) port 88 can also be used, although it’s less common.
• TCP and UDP ports 135 are needed for remote procedure call (RPC) endpoint mapping. RPCs are used for a number of domain controller-to-domain controller and client-to domain controller operations. Unfortunately, not all communications take place over port 135, as I’ll discuss later.
• TCP port 139 and UDP port 138 are needed for file replication between domain controllers. This port combination is the standard NetBIOS session service port set.
• UDP port 389 handles LDAP queries and is used for normal domain controller operations.
• TCP and UDP ports 445 are used for file replication and are the standard Windows file sharing ports.
• TCP and UDP ports 464 are the Kerberos password change protocol ports.
• TCP port 593 is used by the RPC over HTTP transport. Although you don’t technically need this port for normal operations, I’ll discuss later how this feature can make working  with domain controllers through firewalls a bit easier.
• TCP port 636 is for LDAP over Secure Sockets Layer (SSL), which is the default LDAP methodology for Windows Server 2003 and later.
• TCP port 3268 and 3269 handle Global Catalog (GC) queries. Port 3269 handles secure queries. Any domain controller that needs access to a GC or that is acting as a GC server will use these ports.
• TCP and UDP ports 53 are used to communicate with Domain Name System (DNS), which is a vital part of AD communications. Generally, opening these ports between clients and domain controllers, or between domain controllers, will enable AD to function normally. One exception is RPC traffic.

RPC Endpoint Mapping

Most RPC communications first start on TCP port 135. However, that’s merely the RPC endpoint mapper service. Its function is to select a new destination port for further communications in that RPC session. Exchange Server is a major user of RPC endpoint mapping, and it’s very difficult to get Exchange traffic through a firewall as a result.

The range of potential endpoint addresses used by RPC communications is huge, essentially requiring the entire firewall to be opened to allow all the possibilities. The ports selected by the endpoint mapper can range from TCP 1024 to TCP 65535. Fortunately, you can force AD to always map endpoints to specific ports. The Internet Assigned Numbers Authority (IANA) has set aside ports 49152 to 65535 for private port assignments, so choose ports from this range and force AD to always use them. You’ll then be able to open a much smaller range of ports in your firewalls.

To force port selection, modify the registry key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters.

You’ll need to create or modify a DWORD value named TCP/IP Port, and set it to whichever port you’re going to use. However, there are some downsides to this modification:

• You’ll need to modify every domain controller on your network; otherwise, they won’t be able to communicate properly. You’re effectively disabling endpoint mapping, so all domain controllers will have to be manually told which port to use.
• Your domain controllers will have to work a bit harder to handle the same number of connections. The servers communicate less efficiently when forced to use a single port for all communications because they can’t rely on the port number to identify individual “conversations.”

RPC over HTTP

Windows Server 2003 offers an exciting new communications protocol: RPC packets embedded within easily transported HTTP packets. This protocol is called RPC over HTTP, and it’s handled by an RPC proxy DLL that’s installed as an optional IIS 6.0 component.

Unfortunately, the computer initiating a conversation must choose to use RPC over HTTP, and Windows isn’t currently designed to do so for domain communications. The only practical use for RPC over HTTP at the moment is Outlook 2003 communications with Exchange Server 2003; RPC over HTTP is invaluable there because it allows an RPC-heavy client such as Outlook to communicate through easy-to-manage HTTP ports. Hopefully, in the future, RPC over HTTP will become a more widespread means of communication.
Choosing Your Battles If you’re in a situation in which you have to have AD communications passing through a firewall, try to choose the path of least resistance. For example, domain controller-to-domain controller communications are amongst the most difficult as a result of the wide range of protocols in use and the need for constant RPC connectivity.

However, client-to-domain controller communications are significantly less complicated, so placing a domain member in a perimeter network, for example, will be easier to deal with than placing a domain controller there. If you absolutely must have a firewall between domain controllers, you’ll need to restrict the ports they use. The File Replication Service (FRS) will need to be restricted, as will general communications. I explained earlier how to force an RPC port for general communications; Microsoft can help you with other types of traffic.

Active Directory

What is Active Directory

An active directory is a directory structure used on Microsoft Windows based computers and servers to store information and data about networks and domains. It is primarily used for online information and was originally created in 1996. It was first used with Windows 2000.

An active directory (sometimes referred to as an AD) does a variety of functions including the ability to provide information on objects, helps organize these objects for easy retrieval and access, allows access by end users and administrators and allows the administrator to set security up for the directory.

An active directory can be defined as a hierarchical structure and this structure is usually broken up into three main categories, the resources which might include hardware such as printers, services for end users such as web email servers and objects which are the main functions of the domain and network.

Understanding Active Directories

It is interesting to note the framework for the objects. Remember that an object can be a piece of hardware such as a printer, end user or security settings set by the administrator. These objects can hold other objects within their file structure. All objects have an ID, usually an object name (folder name). In addition to these objects being able to hold other objects, every object has its own attributes which allows it to be characterized by the information it contains. Most IT professionals call these settings or characterizations schemas.

The type of schema created for a folder will ultimately determine how these objects are used. For instance, some objects with certain schemas cannot be deleted, they can only be deactivated. Others types of schemas with certain attributes can be deleted entirely. For instance, a user object can be deleted, but the administrator object cannot be deleted.

When understanding active directories, it is important to know the framework that objects can be viewed at. In fact, an active directory can be viewed at either one of three levels, these levels are called forests, trees or domains. The highest structure is called the forest because you can see all objects included within the active directory.

Within the Forest structure are trees, these structures usually hold one or more domains. Going further down the structure of an active directory are single domains. To put the forest, trees and domains into perspective, consider the following example.

A large organization has many dozens of users and processes. The forest might be the entire network of end users and specific computers at a set location. Within this forest directory are now trees that hold information on specific objects such as domain controllers, program data and system, among others. Within these objects are even more objects which can then be controlled and categorized.

How are Active Directories used?

If you are a computer administrator for a large corporation or organization, you can easily update all end users computers with new software, patches and files simply by updating one object in a forest or tree.

Because each object fits into a set schema and has specific attributes, a network administrator can easily clear a person on a set tree or instantly give or deny access to select users for certain applications. The Microsoft servers use trust to determine whether or not access should be allowed. Two types of trusts that Microsoft active directories incorporate are transitive trusts and one way non transitive trusts. A transitive trust is when there is a trust that goes further than two domains in a set tree, meaning two entities are able to access each other’s domains and trees.

A one way transitive is when a user is allowed access to another tree or domain; however, the other domain does not allow access to the further domains. This can be summed up as a network administrator and end user. The network administrator can access most trees in the forest including a specific end user’s domain. However, the end user, while able to access his or her own domain, cannot access other trees.

It is important to note that active directories are a great way to organize a large organization or corporation’s computers’ data and network. Without an active directory, most end users would have computers that would need to be updated individually and would not have access to a larger network where data can be processed and reports can be created. While active directories can be technical to a good extent and require considerable expertise to navigate, they are essential to storing information and data on networks.