6.0 Components of Domain Services for Windows

This section describes the various components and subcomponents of Domain Services for Windows (DSfW).

Table 6-1 Components of DSfW

Component

Subcomponent

eDirectory 9.2.8

 

NMAS 3.3.4

 

MIT Kerberos 1.6.2

 

KDC and libraries: Includes the Kerberos authentication service and ticket granting service components.

 

GSS-API: The framework for selecting and negotiating between multiple security mechanisms (For DSfW, they are SPNEGO, NTLM, and Kerberos).

 

XAD framework: Implements the Active Directory information and security models, and contains a variety of plug-ins for eDirectory, NMAS, and MIT Kerberos

The Active Directory Provisioning Handler (ADPH) that enforces the Security Accounts Manager inside the DSA.

 

The GSS and IPC SASL mechanisms (with associated LCM/LSMs), that provide GSS-API and UNIX authentication security to directory clients. The GSS mechanism also provides confidentiality and integrity services for NLDAP.

 

The GSS and Net Logon DCE authentication mechanisms.

 

The NTLMv2 authentication protocol (implemented as a GSS mechanism).

 

The dcinit suite of domain controller provisioning scripts.

 

A MIT Kerberos KDC back end that retrieves principal information for the Active Directory information model

SLAPI Plug-ins

nad: Active Directory information model for NLDAP.

 

subschema: – Schema cache and subschema introspection.

 

crossref: Used for generation of referrals and search result references, and Active Directory search semantics.

 

addrdnvalues: Adds RDN values on entry.

 

anr: Used for ambiguous name resolution.

 

tokengroups: Generates a list of SIDs of user's group memberships.

 

netlogon: Service used by Windows clients to locate domain controllers.

 

rootdse: Additional attributes on root DSEs.

 

ntacl: Support for Windows security descriptors.

 

whoami: RFC 4532 (determines authorization identity for a connection).

 

sam (pre-ADPH): Implements Active Directory SAM constraints.

 

rfc2307 (pre-ADPH): Sets default RFC 2307 attributes for users.

 

idmap_ad: Maps between SIDs and RFC 2307 UIDs/GIDs.

 

dce_funnel: Forwards CIFS encapsulated RPCs to xadsd.

 

auth_paula: Forwards NTLM authentication requests to xadsd.

 

netlogon: Forwards NMB locator requests to LDAP.

RPC Systems

Local Security Authority (LSARPC): SID to name translation, establishment of trusted domains, inter alia.

 

Security Accounts Manager remote protocol (SAMR): SID-to-name translation, account management.

 

Net Logon: Manages the secure channel between workstations and domain controllers, which is used for pass-through authentication, listing trusted domains, updating machine account shared secrets, etc.

 

Directory Replication Service User API (DRSUAPI): Used for directory-based name translation and for replication with Active Directory servers replication is not supported by DSfW 1.0).

 

Private Authentication Layer (PAULA): Used by Samba on DSfW domain controllers to forward NTLM authentication requests.

 

Directory Services Setup (DSSetup): Information about the state of the domain controller.

SAMBA: Used for serving group policy information and forwarding RPCs encapsulated in the CIFS protocol to XAD).

 

NTP with Net Logon extensions: Used for securely synchronizing network time, which is necessary for the Kerberos protocol.

 

Novell BIND with GSS extensions: Used for securely updating workstation address information in DNS. DNS records are maintained in eDirectory.

 

System Volume (SYSVOL): Contains the file system group policies (known as Group Policy Templates or GPT). The policies are replicated between domain controllers of the same domain by using the rsync utility.

 

 

 

Apart from static configuration information, all of the component information is stored in eDirectory. Some information is managed by the directory server itself, including attributes whose integrity is critical to the Windows security model (for example, security identifiers, which can only be allocated by a trusted entity such as the directory server itself).

Most information is managed over LDAP and RPC by using the MMC management tools that ship with Windows.