Chapter 2: Windows Network Concepts

Chapter 2: Windows Network Concepts

2.1. Workgroups
In computer networking a workgroup is a collection of computers on a LAN that share common
resources and responsibilities. Workgroup is Microsoft's term for a peer-to-peer L. Windows
WORKGROUPs can be found in homes, schools and small businesses. Computers running Windows
OSs in the same work group may share files, printers, or Internet connection. Workgroup contrasts
with domain, in which computers rely on centralized authentication.
A Windows workgroup is a group of standalone computers in a peer-to-peer network. Each computer in
the workgroup uses its own local accounts database to authenticate resource access. The computers in
a workgroup also do not have a common authentication process. The default-networking environment
for a clean windows load is workgroup.
In general, Windows workgroup environment can contain many computers but work best with 15 or
fewer computers. As the number of computers increases, a workgroup eventually become very difficult
to administer and should be re-organized into multiple networks or set up as a client-server network.
The computers in a workgroup are considered peers because they are all equal and share resources
among each other without requiring a server. Since the workgroup doesn’t share a common security
and resource database, users and resources must be defined on each computer. Joining a workgroup
requires all participants to use a matching name, all Windows computers (Windows 7, 8 and 10) are
automatically assigned to a default group named WORKGROUP (MSHOME in WindowsXP). To
access shared resources on other PCs within its group, a user must know the name of the workgroup
that computer belongs to plus the username and password of an account on the remote computer.

The main disadvantages of workgroups are:

➢ If a user account will be used for accessing resources on multiple machines, the user account
will need to be created on those machines, i.e. this requires that the same username and
password be used.
➢ The low security protocol used for authentication between nodes.
➢ Desktop computers have a fixed limit of 15 or less connections. Note that this is in reference to
connections to an individual desktop.

One of the most common mistakes when setting up a peer-to-peer network is misspelling the
workgroup name on one of the computers. For example, suppose you decide that all the computers
should belong to a workgroup named MYGROUP. If you accidentally spell the workgroup name

1
Chapter 2: Windows Network Concepts

MYGRUOP for one of the computers, that computer will be isolated in its own workgroup. If you can’t
locate a computer on your network, the workgroup name is one of the first things to check.

2.1.1. Windows Workgroups vs Homegroups and Domains

Domain Controller
Windows domains support client-server local networks. A specially configured computer called
Domain Controller running a Windows Server operating system serves as a central server for all
clients. Windows domains can handle more computers than workgroups due to the ability to maintain
centralized resource sharing and access control. A client PC can belong to either to a workgroup or to a
Windows domain, but not both. Assigning a computer to the domain automatically removes it from the
workgroup. (see section 2.2 for more on Domain Controllers)

Microsoft HomeGroup

Microsoft introduced the Homegroup concepts in windows 7. Homegroups are designed to simplify the
management of workgroups for administrators, particularly homeowners. Instead of requiring an
administrator to manually set up shared user accounts on every PC, HomeGroup security settings can
be managed through one shared login.

Joining a Homegroup does not remove a PC from its Windows WORKGROUP, the two sharing
methods co-exist. Computers running versions of Windows operating systems older than Windows 7
(like XP and vista), however cannot be members of HomeGroups.

Other Computer Workgroup technologies

The open source software package samba (which uses SMB technologies) allows Apple macOS, Linux
and other Unix based system to join existing windows workgroups. Apple originally developed
AppleTalk to support workgroups on Macintosh computers but phased out this technology in the late
2000s in favor of newer standards like SMB.

Samba is a free software that provides file and print services for various Microsoft Windows clients
and can integrate with a Microsoft Windows Server domain, either as a Domain Controller (DC) or as a
domain member. As of version 4, it supports Active Directory and Microsoft Windows NT domains.
Samba runs on most Unix-like systems, such as Linux, Solaris, AIX and the BSD variants, including
Apple's macOS Server, and macOS client (Mac OS X 10.2 and greater). It is standard on nearly all
distributions of Linux and is commonly included as a basic system service on other Unix-based
operating systems as well. Samba is released under the terms of the GNU General Public License. The
name Samba comes from SMB (Server Message Block), the name of the proprietary protocol used by
the Microsoft Windows network file system.

2
Chapter 2: Windows Network Concepts

2.2. Domain Controllers (DC)

A domain controller (DC) is a server computer that responds to security authentication requests within
a computer network domain. It is a network server that is responsible for allowing end devices to
access shared domain resources. It authenticates users, stores user account information and enforces
security policy for a domain. It is most commonly implemented in Microsoft Windows environments,
where it is the centerpiece of Windows Active Directory service. However, non-Windows DCs can be
established via identity management software such as Samba (see the last paragraph of section 2.1).

DCs are typically deployed as a cluster to ensure high-availability and maximize reliability. In a
Windows environment, one DC serves as the Primary DC (PDC) and all other servers promoted to
DC status in the domain server as a Backup DC (BDC). In Unix-based environments, one machine
serves as the master domain controller and others serve as replica domain controllers, periodically
replicating database information from the main domain controller and storing it in a read-only format.

On Microsoft Servers, a DC is a server computer that responds to security authentication requests

(logging in, etc.) within a Windows domain. A Windows domain is a form of a computer network in
which all user accounts, computers, printers and other security principals, are registered with a central
database located on one or more clusters of central computers known as DSs. A domain is a concept
introduced in Windows NT whereby a user may be granted access to a number of computer resources
with the use of a single username and password combination. You must setup at least one DC in every
Windows domain. Figure 2.1. shows the Domain Controller in Windows domain.

Figure 2.1. Domain Controller

Windows Server can be one of three kinds: Active Directory "domain controllers" (ones that provide
identity and authentication), Active Directory "member servers" (ones that provide complementary
services such as file repositories and schema) and Windows Workgroup "stand-alone servers". The term
"Active Directory Server" is sometimes used by Microsoft as synonymous to "Domain Controller" but
the term is discouraged.

3
Chapter 2: Windows Network Concepts

2.2.1. System Requirements for a Domain Controller

This section outlines the minimum hardware requirements to run the latest Windows Server available
as this resource is prepared (i.e. Windows Server 2022). If your computer has less than the minimum
requirements, you will not be able to install the server correctly. Actual requirements will vary based on
your system configuration and the applications and features you install.
Processor
Processor performance depends not only on the clock frequency of the processor, but also on the
number of processor cores and the size of the processor cache. The following are the minimum
processor requirements for the product:
➢ 1.4 GHz 64-bit processor
➢ Compatible with x64 instruction set

RAM
The following are the estimated minimum RAM requirements for the product:
➢ 512 MB (2 GB for Server with Desktop Experience installation option)

Storage Controller and Disk Space Requirements

Computers that run Windows Server must include a storage adapter that is compliant with the PCI
Express architecture specification. Persistent storage devices on servers classified as hard disk drives
must not be PATA. Windows Server does not allow ATA/PATA/IDE/EIDE for boot, page, or data
drives. The estimated minimum disk space requirements for the system partition is 32 GB

Network Adapter Requirements

Network adapters used with this latest release should include an Ethernet adapter capable of at least 1
gigabit per second throughput. The following is a list of minimum system requirements for older
versions of Windows Servers:
Component Windows Server Windows Server Windows Server
2003 32-bit 2008 32-bit 2008 R2 64-bit
Computer and Server Computer with Server Computer with a x64, 1.4 GHz if single core,
processor a 133-MHz processor Minimum 1GHz processor 1.3GHz if multi core
Memory 25 TFTP 512 MB RAM
Hard disk 1.5 GB available hard- 20 GB available hard-disk 32 GB available hard-disk space
disk space space
Table 1. System requirements for a domain controller

4
Chapter 2: Windows Network Concepts

2.3. LDAP & Windows Active Directory

2.3.1. Lightweight Directory Access Protocol (LDAP)
The Lightweight Directory Access Protocol (LDAP) is an open, vendor-neutral, industry standard
application protocol for accessing and maintaining distributed directory information services over an
Internet Protocol (IP) network. Directory services play an important role in developing intranet and
Internet applications by allowing the sharing of information about users, systems, networks, services,
and applications throughout the network. As examples, directory services may provide any organized
set of records, often with a hierarchical structure, such as a corporate email directory. Similarly, a
telephone directory is a list of subscribers with an address and a phone number.

A common use of LDAP is to provide a central place to store usernames and passwords. This allows
many different applications and services to connect to the LDAP server to validate users.

In the early engineering stages of LDAP, it was known as Lightweight Directory Browsing Protocol,
or LDBP. It was renamed with the expansion of the scope of the protocol beyond directory browsing
and searching, to include directory update functions. It was given its Lightweight name because it was
not as network intensive as its predecessors and thus was more easily implemented over the Internet
due to its relatively modest bandwidth usage.

LDAP has influenced subsequent Internet protocols, including later versions of X.500, XML Enabled
Directory (XED), Directory Service Markup Language (DSML), Service Provisioning Markup
Language (SPML), and the Service Location Protocol (SLP). It is also used as the basis for Microsoft's
Active Directory.

Protocol overview
A client starts an LDAP session by connecting to an LDAP server, called a Directory System Agent
(DSA), by default on TCP and UDP port 389, or on port 636 for LDAPS (LDAP over TLS/SSL, see
below). The client then sends an operation request to the server, and a server sends responses in return.
With some exceptions, the client does not need to wait for a response before sending the next request,
and the server may send the responses in any order. All information is transmitted using Basic
Encoding Rules (BER).

The client may request the following operations:

➢ StartTLS– use LDAPv3 Transport Layer Security (TLS) extension for a secure connection
➢ Bind – authenticate and specify LDAP protocol version
➢ Search – search for and/or retrieve directory entries
➢ Compare – test if a named entry contains a given attribute value
➢ Add a new entry

5
Chapter 2: Windows Network Concepts

➢ Delete an entry
➢ Modify an entry
➢ Modify Distinguished Name (DN) – move or rename an entry
➢ Abandon – abort a previous request
➢ Extended Operation – generic operation used to define other operations
➢ Unbind – close the connection (not the inverse of Bind)

A common alternative method of securing LDAP communication is using an SSL tunnel. The default
port for LDAP over SSL is 636. The use of LDAP over SSL was common in LDAP Version 2
(LDAPv2) but it was never standardized in any formal specification. This usage has been deprecated
along with LDAPv2, which was officially retired in 2003.

The protocol provides an interface with directories as follows:

➢ An entry consists of a set of attributes.
➢ An attribute has a name (an attribute type or attribute description) and one or more values.
➢ Each entry has a unique identifier: its Distinguished Name (DN). This consists of its Relative
Distinguished Name (RDN), constructed from some attribute(s) in the entry, followed by the
parent entry's DN. Think of the DN as the full file path and the RDN as its relative filename in
its parent folder (e.g. if /foo/bar/myfile.txt were the DN, then myfile.txt would be the RDN).

A DN may change over the lifetime of the entry, for instance, when entries are moved within a tree. To
reliably and unambiguously identify entries, a UUID might be provided in the set of the entry's
operational attributes.

2.3.2. Windows Active Directory

Active Directory (AD) is a directory service developed by Microsoft for Windows domain networks. It
is included in most Windows Server operating systems as a set of processes and services. Initially, it
was used only for centralized domain management. However, it eventually became an umbrella title for
a broad range of directory-based identity-related services.

A server running the Active Directory Domain Service (AD DS) role is called a domain controller. It
authenticates and authorizes all users and computers in a Windows domain type network, assigning and
enforcing security policies for all computers, and installing or updating software. For example, when a
user logs into a computer that is part of a Windows domain, Active Directory checks the submitted
password and determines whether the user is a system administrator or normal user. Also, it allows
management and storage of information, provides authentication and authorization mechanisms, and
establishes a framework to deploy other related services: Certificate Services, AD Federation Services,
Lightweight Directory Services, and Rights Management Services. Active Directory uses LDAP
versions 2 and 3, Microsoft's version of Kerberos, and DNS.

6
Chapter 2: Windows Network Concepts

Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and
revised it to extend functionality and improve administration in Windows Server 2003. Additional
improvements came with subsequent versions of Windows Server. In Windows Server 2008, additional
services were added to Active Directory, such as Active Directory Federation Services. The part of the
directory in charge of management of domains, which was previously a core part of the operating
system, was renamed Active Directory Domain Services (ADDS) and became a server role like others.
Active Directory became the umbrella title of a broader range of directory-based services, everything
related to identity was brought under Active Directory's banner.
2.3.2.1. Active Directory Services
Active Directory Services consist of multiple directory services. The best known is Active Directory
Domain Services, commonly abbreviated as AD DS or simply AD.

Domain Services (DS)

AD DS is the foundation stone of every Windows domain network. It stores information about
members of the domain, including devices and users, verifies their credentials and defines their access
rights. The server running this service is called a domain controller. A domain controller is contacted
when a user logs into a device, accesses another device across the network, or runs a line-of-business
Metro-style app sideloaded into a device.

Other Active Directory services (excluding LDS, which is discussed below) as well as most of
Microsoft server technologies rely on or use Domain Services; examples include Group Policy,
Encrypting File System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange
Server and SharePoint Server.

Lightweight Directory Services (LDS)

Active Directory Lightweight Directory Services, formerly known as AD Application Mode (ADAM),
is an implementation of LDAP protocol for AD Directory Services. AD LDS runs as a service on
Windows Server. AD LDS shares the code base with AD DS and provides the same functionality,
including an identical API, but does not require the creation of domains or domain controllers. It
provides a Data Store for storage of directory data and a Directory Service with an LDAP Directory
Service Interface. Unlike AD DS, however, multiple AD LDS instances can run on the same server.

Certificate Services (CS)

AD Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create,
validate and revoke public key certificates for internal uses of an organization. These certificates can be

7
Chapter 2: Windows Network Concepts

used to encrypt files, emails, and network traffic (when used by virtual private networks or IPSec
protocol). AD CS requires an AD DS infrastructure.

Federation Services (FS)

AD Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place,
users may use several web-based services (e.g. Internet forum, blog, online shopping, webmail) or
network resources using only one set of credentials stored at a central location, as opposed to having to
be granted a dedicated set of credentials for each service. AD FS's purpose is an extension of that of
AD DS: The latter (AD Ds) enables users to authenticate with and use the devices that are part of the
same network, using one set of credentials. The former (AD FS) enables them to use the same set of
credentials in a different network.

As the name suggests, AD FS works based on the concept of federated identity. AD FS requires an AD
DS infrastructure, although its federation partner may not.

Rights Management Services (RMS)

AD Rights Management Services (AD RMS) is a server software for information rights management
shipped with Windows Server. It uses encryption and a form of selective functionality denial for
limiting access to documents such as corporate e-mails, Microsoft Word documents, and web pages,
and the operations authorized users can perform on them.
2.3.2.2. Logical Structure
As a directory service, an Active Directory instance consists of a database and corresponding
executable code responsible for servicing requests and maintaining the database. The executable part,
known as Directory System Agent, is a collection of Windows services and processes that run on
Windows 2000 and later. Objects in Active Directory databases can be accessed via LDAP, ADSI (a
component object model interface), messaging API and Security Accounts Manager services.

Objects
Active Directory structures are arrangements of information about objects. The objects fall into two
broad categories: resources (e.g., printers) and security principals (user or computer accounts and
groups). Security principals are assigned unique security identifiers (SIDs).

Each object represents a single entity—whether a user, a computer, a printer, or a group—and its
attributes. Certain objects can contain other objects. An object is uniquely identified by its name and
has a set of attributes—the characteristics and information that the object represents— defined by a
schema, which also determines the kinds of objects that can be stored in Active Directory.

8
Chapter 2: Windows Network Concepts

The schema object lets administrators extend or modify the schema when necessary. However, because
each schema object is integral to the definition of Active Directory objects, deactivating or changing
these objects can fundamentally change or disrupt a deployment. Schema changes automatically
propagate throughout the system. Once created, an object can only be deactivated—not deleted.
Changing the schema usually requires planning.
Figure 2.2. Sample Network Diagram to indicate a Domain

Forests, trees, and domains

The Active Directory framework that holds the objects can be viewed at a number of levels. The forest,
tree, and domain are the logical divisions in an Active Directory network.

Within a deployment, objects are grouped into domains. The objects for a single domain are stored in
a single database (which can be replicated). Domains are identified by their DNS name structure, the
namespace.

A domain is defined as a logical group of network objects (computers, users, devices) that share the
same Active Directory database.

A tree is a collection of one or more domains and domain trees in a contiguous namespace, and is
linked in a transitive trust hierarchy.

9
Chapter 2: Windows Network Concepts

At the top of the structure is the forest. A forest is a collection of trees that share a common global
catalog, directory schema, logical structure, and directory configuration. The forest represents the
security boundary within which users, computers, groups, and other objects are accessible.
Organizational Units

The objects held within a domain can be grouped into organizational units (OUs). OUs can provide
hierarchy to a domain, ease its administration, and can resemble the organization's structure in
managerial or geographical terms. Microsoft recommends using OUs rather than domains for structure
and to simplify the implementation of policies and administration. The OU is the recommended level at
which to apply group policies, which are Active Directory objects formally named group policy
objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the
level at which administrative powers are commonly delegated, but delegation can be performed on
individual objects or attributes as well.

Organizational units (OUs) do not each have a separate namespace. As a consequence, for
compatibility with Legacy NetBios implementations, user accounts with an identical account name
are not allowed within the same domain even if the accounts objects are in separate OUs. This’s
because account name, a user object attribute, must be unique within the domain. However, two users
in different OUs can have the same common name (CN), the name under which they are stored in the
directory itself such as "fred.staff-ou.domain" and "fred.student-ou.domain", where "staff-ou" and
"student-ou" are the Ous.
Note:
The reason for lack of duplicate names through hierarchical directory placement is that Microsoft
primarily relies on the principles of NetBIOS (i.e. a flat-namespace method of network object
management). Allowing for duplication of object names in the directory, or completely removing the
use of NetBIOS names, would prevent backward compatibility with legacy software and equipment.
However, disallowing duplicate object names in this way is a violation of the LDAP RFCs on which
Active Directory is supposedly based.

As the number of users in a domain increases, duplicate naming issue even gets more complicated.
Workarounds include adding a digit to the end of username. Alternatives include creating a separate ID
system of unique user ID numbers to use as account names in place of actual users' names, and
allowing users to nominate their preferred word sequence within an acceptable use policy.

Because duplicate usernames cannot exist within a domain, account name generation poses a
significant challenge for large organizations that cannot be easily subdivided into separate domains,
such as students in a public school system or university who must be able to use any computer across
the network.

10
Chapter 2: Windows Network Concepts

2.3.2.3. Physical Structure

Sites are physical (rather than logical) groupings defined by one or more IP subnets. AD also holds the
definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN)
links. Site definitions are independent of the domain and OU structure and are common across the
forest. Sites are used to control network traffic generated by replication and also to refer clients to the
nearest domain controllers (DCs).

Physically, the Active Directory information is held on one or more peer domain controllers (DCs).
Each DC has a copy of the AD. Servers joined to AD that are not domain controllers are called
Member Servers. A subset of objects in the domain partition replicate to domain controllers that are
configured as global catalogs. Global catalog (GC) servers provide a global listing of all objects in the
Forest. Global Catalog servers replicate to themselves all objects from all domains and, hence, provide
a global listing of objects in the forest. However, to minimize replication traffic and keep the GC's
database small, only selected attributes of each object are replicated. This is called the partial attribute
set (PAS).
Replication
Active Directory synchronizes changes using multi-master replication. Replication by default is 'pull'
rather than 'push', meaning that replicas pull changes from the server where the change was effected.
The Knowledge Consistency Checker (KCC) creates a replication topology of site links using the
defined sites to manage traffic. Intra-site replication is frequent and automatic as a result of change
notification, which triggers peers to begin a pull replication cycle. Inter-site replication intervals are
typically less frequent and do not use change notification by default, although this is configurable and
can be made identical to intra-site replication. Replication of Active Directory uses Remote Procedure
Calls (RPC) over IP (RPC/IP).
2.3.2.4. Implementation
In general, a network utilizing Active Directory has more than one licensed Windows server computer.
Backup and restore of Active Directory is possible for a network with a single domain controller, but
Microsoft recommends more than one domain controller to provide automatic failover protection of the
directory. Domain controllers are also ideally single-purpose for directory operations only, and should
not run any other software or role.

Certain Microsoft products such as SQL Server and Exchange can interfere with the operation of a
domain controller, necessitating isolation of these products on additional Windows servers. Combining
them can make configuration or troubleshooting of either the domain controller or the other installed
software more difficult. A business intending to implement Active Directory is therefore recommended
to purchase a number of Windows server licenses, to provide for at least two separate domain

11
Chapter 2: Windows Network Concepts

controllers, and optionally, additional domain controllers for performance or redundancy, a separate file
server, a separate Exchange server, a separate SQL Server, and so forth to support the various server
roles.

Physical hardware costs for the many separate servers can be reduced through the use of virtualization,
although for proper failover protection, Microsoft recommends not running multiple virtualized domain
controllers on the same physical hardware.
2.3.2.5. Trusting
To allow users in one domain to access resources in another, Active Directory uses trusts. Trusts inside
a forest are automatically created when domains are created. The forest sets the default boundaries of
trust, and implicit, transitive trust is automatic for all domains within a forest.

Terminology
➢ One-way trust: One domain allows access to users on another domain, but the other domain
does not allow access to users on the first domain.
➢ Two-way trust: Two domains allow access to users on both domains.
➢ Trusted domain: The domain that is trusted; whose users have access to the trusting domain.
➢ Transitive trust: A trust that can extend beyond two domains to other trusted domains in the
forest.
➢ Intransitive trust: A one way trust that does not extend beyond two domains.
➢ Explicit trust: A trust that an admin creates. It is not transitive and is one way only.
➢ Cross-link trust: An explicit trust between domains in different trees or in the same tree when
a descendant/ancestor (child/parent) relationship does not exist between the two domains.
➢ Shortcut: Joins two domains in different trees, transitive, one- or two-way.
➢ Forest trust: Applies to the entire forest. Transitive, one- or two-way.
➢ Realm: Can be transitive or nontransitive (intransitive), one- or two-way.
➢ External: Connect to other forests or non-AD domains. Nontransitive, one- or two-way.
➢ PAM trust: A one-way trust used by Microsoft Identity Manager from a (possibly low-level)
production forest to a (Windows Server 2016 functionality level) 'bastion' forest, which issues
time-limited group memberships.
2.3.2.6. Management solutions
Microsoft Active Directory management tools include:
➢ Active Directory Administrative Center (Introduced with Windows Server 2012 and above),
➢ Active Directory Users and Computers,
➢ Active Directory Domains and Trusts,
➢ Active Directory Sites and Services,

12
Chapter 2: Windows Network Concepts

➢ ADSI Edit,
➢ Local Users and Groups,
➢ Active Directory Schema snap-ins for Microsoft Management Console (MMC),
➢ SysInternals ADExplorer

These management tools may not provide enough functionality for efficient workflow in large
environments. Some third-party solutions extend the administration and management capabilities. They
provide essential features for a more convenient administration processes, such as automation, reports,
integration with other services, etc.
2.3.2.7. Unix integration
Varying levels of interoperability with Active Directory can be achieved on most Unix-like operating
systems (including Unix, Linux, Mac OS X or Java and Unix-based programs) through standards-
compliant LDAP clients, but these systems usually do not interpret many attributes associated with
Windows components, such as Group Policy and support for one-way trusts.

Third parties offer Active Directory integration for Unix-like platforms, including:
➢ PowerBroker Identity Services – Allows a non-Windows client to join Active Directory
➢ ADmitMac (Thursby Software Systems)
➢ Samba – Can act as a domain controller

Administration (querying, modifying, and monitoring) of Active Directory can be achieved via many
scripting languages, including PowerShell, VBScript, JScript/JavaScript, Perl, Python, and Ruby. Free
and non-free AD administration tools can help to simplify and possibly automate AD management
tasks. Since October 2017 Amazon AWS offers integration with Microsoft Active Directory.

13