Windows Active Directory Role for Windows Servers

by [Published on 20 March 2013 / Last Updated on 20 March 2013]

In this article, the author describes what goes behind the scenes when you install a role, especially the Active Directory Domain Services role.

Introduction

When you install the Active Directory role on a Windows Server, what actually occurs? Well, it is key to know what occurs, as well as to have it documented. There are many moving parts that occur in the background and knowing these could help you troubleshoot and ensure that your servers are secure.

Accessing the Roles for Install

In order to install different roles on a Windows server, you need to go to the Server Manager utility. This is now command central for all of the server management, according to what Microsoft wants you to think. The Server Manager allows you to install, remove, and view the currently installed roles for the server you are working on.

The Server Manager is one of the Administrative Tools, so you can access it through the Start button menu or you can access it through Control Panel. When you launch Server Manager you will find more than just roles, as this is a tool that allows you to manage much of the server. As you can see in Figure 1, Server Manager allows you to access various other tools and aspects of the server.

Image
Figure 1:
Server Manager for Windows Server 2008

As you can see in Figure 1, there are many roles installed on this Windows Server. One of which is the Active Directory Domain Services role. This role, when installed, makes the server a domain controller for an Active Directory domain. When the role is installed it will make significant modifications to the server to increase the security and management of the server.

Services

One of the most important aspects of the Active Directory Domain Services role is the fact that additional services are installed. Microsoft made some significant changes to the Windows Server default services in and around 2003. These changes were to increase the overall security and functionality of the server. The goal was to reduce the attack surface of the Windows Server when initially installed, as well as when features and roles were installed on the server.

When Active Directory Domain Services are installed there are some essential services that must be installed so that the server can function as a domain controller. These services include:

  • Active Directory Domain Services
  • DNS Client
  • Intersite Messaging
  • Kerberos Key Distribution Center
  • Netlgon
  • TCP/IP NetBIOS Helper
  • Windows Time
  • Workstation

These are the services that the installation of the role will automatically install and enable. You can clearly see this within the Server Manager when expanding the Active Directory Domain Services role, which is shown in Figure 2.

Image
Figure 2:
Server Manager showing the Active Directory Domain Services role and services.

Firewall Rules

In addition to services, the installation of roles, the Active Directory Domain Services role here, also configures default Firewall Rules so that the services and overall functionality required for the role works correctly. It also helps protect the server from attacks, both internally and externally. The Windows Firewall starting with Windows Server 2008 is a dramatic improvement over previous Microsoft firewall attempts and I have found it to be a very important inclusion to help protect your servers.

When the Active Directory Domain Services role is installed, the following Firewall Rules are also configured for the server to allow correct communication on the network. The inbound rules are displayed in Table 1 and the outbound rules are displayed in Table 2.

Active Directory Domain Controller - Echo Request   (ICMPv4-In)

Active Directory Domain Controller - Echo Request   (ICMPv6-In)

Active Directory Domain Controller - LDAP (TCP-In)

Active Directory Domain Controller - LDAP (UDP-In)

Active Directory Domain Controller - LDAP for Global   Catalog (TCP-In)

Active Directory Domain Controller - Secure LDAP for   Global Catalog (TCP-In)

Active Directory Domain Controller - Secure LDAP   (TCP-In)

Active Directory Domain Controller - NetBIOS name   resolution (UDP-In)

Active Directory Domain Controller - SAM/LSA   (NP-TCP-In)

Active Directory Domain Controller - SAM/LSA   (NP-UDP-In)

Active Directory Domain Controller (RPC)

Active Directory Domain Controller (RPC-EPMAP)

Active Directory Domain Controller - W32Time   (NTP-UDP-In)

Kerberos Key Distribution Center - PCR (TCP-In)

Kerberos Key Distribution Center - PCR (UDP-In)

Kerberos Key Distribution Center (TCP-In)

Kerberos Key Distribution Center (UDP-In)

Netlogon Service (NP-In)

Table 1: Inbound Firewall rules for Active Directory Domain Services Role

Active Directory Domain Controller - Echo Request (ICMPv4-Out)

Active Directory Domain Controller - Echo Request   (ICMPv6-Out)

Active Directory Domain Controller (TCP-Out)

Active Directory Domain Controller (UDP-Out)

Core Networking - Group Policy (LSASS-Out)

Core Networking - Group Policy (NP-Out)

Core Networking - Group Policy (TCP-Out)

File and Printer Sharing (Echo Request - ICMPv4-Out)

File and Printer Sharing (Echo Request - ICMPv6-Out)

File and Printer Sharing (NB-Datagram-Out)

File and Printer Sharing (NB-Name-Out), File and Printer   Sharing (NB-Session-Out)

File and Printer Sharing (SMB-Out), Core Networking   - DNS (UDP-Out)

Table 2: Outbound Firewall rules for Active Directory Domain Services Role

Dependent Roles

Not only does the installation of one role install and configure services and firewall rules, but there might be times that additional roles might need to be installed to support the role. This is certainly the case with the Active Directory Domain Services role, with the complexity that comes along with the role itself. Domain controllers must communicate with all of the computers on the network for authentication of computer and user accounts, as well as with all of the other domain controllers. The domain controller to domain controller communication involves replication of the Active Directory database and the replication of the contents of the SYSVOL.

In order for all of this communication to occur on your domain controllers, the additional roles that must be installed include:

  • DFS Namespace
  • DFS Replication
  • File Server

These roles help support the overall functionality of the domain controller and provide the additional communications that the above mentioned services don’t.

Missing Services

In order for a domain controller to function, there might be other roles/services that are required in order for the Active Directory domain to function. These might include:

  • Domain Naming Service
  • DHCP

DNS is a required service for Active Directory; however it does not need to be a Microsoft DNS service. Also, DNS could reside on other servers, other than domain controllers, and still function. There will be limitations of what DNS can do, but it would still function properly.

DHCP is typically used on corporate networks, as most companies don’t want to manually configure IP on all of the servers and desktops, so DHCP is used.

Summary

As you can see, there is a lot going on behind the scenes when you install a role, especially the Active Directory Domain Services role. When you install a role the server must be configured to support all of the communications that the role serves. This means that additional services might need to be installed and enabled. These services will be limited to only the services required for the role, to ensure the attack surface is kept to a minimum. As an additional measure to help protect the server, firewall rules, both inbound and outbound, are created and configured to ensure that core communication is allowed, but nothing more. Again, this is a security tactic by the operating system to limit the exposure to an internal or external attack.

Advertisement

Featured Links