Domain - Local security Database

[beaumontdvd]

Hi all, am I right in saying that in a workgroup each computer has its own local security database and in a domain the local security database isn't held on the DC for security? If not where is it held?

Also that you cannot logon to a domain locally? So when you login you will be logging in using domain credentials based on the active directory entries?

Also what happens if the domains down and AD is not installed would you be able to login to the dc?


Hope someone can explain in the simplest terms as I'm new to this domain environment

thanks,
Dave

[Boycie]

Quote:

Originally Posted by beaumontdvd

Hi all, am I right in saying that in a workgroup each computer has its own local security database and in a domain the local security database isn't held on the DC for security? If not where is it held?

In a workgroup environment each workstation is responsible for it's own security. The database is held by itself, yes. On a domain controller, the local security database is modified when dcpromo is run.

Quote:

Originally Posted by beaumontdvd

Also that you cannot logon to a domain locally? So when you login you will be logging in using domain credentials based on the active directory entries?

If you are talking about the domain controller, then yes. If you are talking about a client, there is a gpo to prevent a user logging on the workstation.

Quote:

Originally Posted by beaumontdvd

Also what happens if the domains down and AD is not installed would you be able to login to the dc?

If AD is not installed, you have no domain. If you mean what happens if the DC is down, a message would be presented to the user explaining the domain controller cannot be contacted, or if the cached credentials are configured, it may log the user on although not provide access to resources which require authentication.

[beaumontdvd]

Quote:

Originally Posted by Boycie

In a workgroup environment each workstation is responsible for it's own security. The database is held by itself, yes. On a domain controller, the local security database is modified when dcpromo is run.



If you are talking about the domain controller, then yes.



If AD is not installed, you have no domain. If you mean what happens if the DC is down, then would either get a message saying so, or if the cached credentials are configured would log on but would not be able to access resources which require authentication.

Thanks mate that makes sense, where is the security database held on a domain controller then? This is the bit that puzzles me, and also say we pulled the ethernet out on the DC but it had active directory would it still be able to log you on if there was a user account setup for dave in AD? Would it cach daves credentials to the dc and then look in ad for the username / password to authenticate it then provide the access token to the user dave?

Thanks,

[derkit]

Quote:

Originally Posted by beaumontdvd

Thanks mate that makes sense, where is the security database held on a domain controller then? This is the bit that puzzles me, and also say we pulled the ethernet out on the DC but it had active directory would it still be able to log you on if there was a user account setup for dave in AD? Would it cach daves credentials to the dc and then look in ad for the username / password to authenticate it then provide the access token to the user dave?

Thanks,

My understanding is that you'll still be able to logon to a workstation if it has a local profile already created on it. It may have issues trying to access other resources if they need authentication.

The security database - something to do with SAM off the top of my head?

(derkit is learning mode also!)

[Boycie]

Quote:

Originally Posted by beaumontdvd

Thanks mate that makes sense, where is the security database held on a domain controller then?

On the controller, mate. When dcpromo is run, the existing database is modified for the directory services.

Quote:

Originally Posted by beaumontdvd

say we pulled the ethernet out on the DC but it had active directory would it still be able to log you on if there was a user account setup for dave in AD? Would it cach daves credentials to the dc and then look in ad for the username / password to authenticate it then provide the access token to the user dave?

you could still log on, yes. there is nothing to cache if you were at the box. it would be checking against credentials already present.

[Boycie]

Quote:

Originally Posted by derkit

My understanding is that you'll still be able to logon to a workstation if it has a local profile already created on it. It may have issues trying to access other resources if they need authentication.

There is a gpo to allow a client a logon without domain controller authentication. I think the default is 10. This is handy for say a laptop user who may wish to use their machine outside the domain.

Quote:

Originally Posted by derkit

The security database - something to do with SAM off the top of my head?

SAM is the local security account manager, opposed to the active directory held on the domain controller.

[SimonD]

There are two distinct differences.

Workgroups are machine specific, if you don't have a machine created on the machine locally you can't 'generally' log on.

In AD, if you have the DC go down the only way you could log onto a workstation is if you had previously logged onto it and the machine has it stored in the cache (and yes, by default the machine retains 10 cached profiles).

As far as where the user\password information is kept, that's stored within Active Directory itself, each DC and GC will hold that information allowing you to log in (this is done via Kerberos Tickets), the thing to always remember is that Kerberos relies on a time being correct to within a defined skew (defaults to 5 minutes), if the clock on the machine is out of sync by more than 5 minutes you will have issues.
Another thing worth mentioning is that depending on the type of change AD will only sync at regular intervals, however if you make a change to an account (for instance changing the password) then the AD will sync between all DC's to ensure that they all have the correct and upto date information.

SAM is pretty old school, it was from the old NT4 days (and was actually something you could export to disk and apply programs such as L0pht Crack against).

[derkit]

Thanks for the info boycie

[derkit]

Quote:

Originally Posted by SimonD

SAM is pretty old school, it was from the old NT4 days (and was actually something you could export to disk and apply programs such as L0pht Crack against).

Ah,...... the old school days, and that program I remember working on our network back in '97

[Sparky]

Quote:

Originally Posted by beaumontdvd

Thanks mate that makes sense, where is the security database held on a domain controller then?

In a file call ntds.dit

http://www.windowsnetworking.com/kba...eNTDS.DIT.html

[beaumontdvd]

Thanks everyone for all the help
Im slowly getting through this 270
Just making sure I understand every little bit and going through it gradually
So if the ethernet was pulled out of the dc it would be possible to only logon using credentials I have used previously?
What If I have never logged on before would that make the domain unaccessible?
Thanks for the link sparky

Dave

[SimonD]

Quote:

Originally Posted by beaumontdvd

Thanks everyone for all the help
Im slowly getting through this 270
Just making sure I understand every little bit and going through it gradually
So if the ethernet was pulled out of the dc it would be possible to only logon using credentials I have used previously?
What If I have never logged on before would that make the domain unaccessible?
Thanks for the link sparky

Dave

It depends on whether you have a GC located on your network, if you do (and it's not your DC) then you can still log on, however if you don't then your machine would need to have something to authenticate you against, that's either a cached profile or a local user account. If it has neither you won't be able to log on to the machine (which makes sense, otherwise you could pretty much just log onto any machine and not worry about security).